Description
The IMP is a web-based mail client for IMAP and POP3 accounts. It is built atop the Horde Application Framework, which is a general-purpose web application library written in PHP.
A vulnerability in Horde IMP could allow unauthenticated command execution via imap_open in an exposed debug page.
Remediation
The IMP debug page (accessible at http://example.com/horde/imp/test.php) should be deleted after installation.
References
Related Vulnerabilities
WordPress Plugin Subscribe Form Remote Command Execution (1.1)
Ektron CMS unauthenticated code execution and Local File Read
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-46731)
vBulletin 5 CONNECT remote code execution
WordPress Plugin Form Manager Remote Command Execution (1.7.2)