CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2011-4949
https://notcve.org/view.php?id=CVE-2011-4949
SQL injection vulnerability in phpgwapi/js/dhtmlxtree/samples/with_db/loaddetails.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to execute arbitrary SQL commands via the id parameter. Vulnerabilidad de inyección SQL en phpgwapi/js/dhtmlxtree/samples/with_db/loaddetails.php en EGroupware Enterprise Line (EPL) anteriores a v11.1.20110804-1 y EGroupware Community Edition anteriores a v1.8.001.20110805 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro id. • http://comments.gmane.org/gmane.comp.web.egroupware.german/33144 http://packetstormsecurity.org/files/100179/eGroupware-1.8.001-SQL-Injection.html http://www.autosectools.com/Advisory/eGroupware-1.8.001-SQL-Injection-179 http://www.egroupware.org/changelog http://www.egroupware.org/epl-changelog http://www.openwall.com/lists/oss-security/2012/03/29/1 http://www.openwall.com/lists/oss-security/2012/03/30/3 http://www.securityfocus.com/bid/52770 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 1CVE-2011-4951
https://notcve.org/view.php?id=CVE-2011-4951
Open redirect vulnerability in phpgwapi/ntlm/index.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter. Vulnerabilidad de redirección abierta en phpgwapi/ntlm/index.php de EGroupware Enterprise Line (EPL) anteriores a v11.1.20110804-1 y EGroupware Community Edition anteriores a v1.8.001.20110805 permite a atacantes remotos redirigir a los usuarios a sitios web de su elección y llevar a cabo ataques de phishing a través de una URL en el parámetro forward. • http://comments.gmane.org/gmane.comp.web.egroupware.german/33144 http://packetstormsecurity.org/files/101675/eGroupware-1.8.001.20110421-Open-Redirect.html http://www.autosectools.com/Advisory/eGroupware-1.8.001-Reflected-Cross-site-Scripting-178 http://www.egroupware.org/changelog http://www.egroupware.org/epl-changelog http://www.openwall.com/lists/oss-security/2012/03/29/1 http://www.openwall.com/lists/oss-security/2012/03/30/3 http://www.securityfocus.com/bid/52770 •
CVSS: 5.0EPSS: 6%CPEs: 2EXPL: 2CVE-2011-4948
https://notcve.org/view.php?id=CVE-2011-4948
Directory traversal vulnerability in admin/remote.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to read arbitrary files via a ..%2f (encoded dot dot slash) in the type parameter. Vulnerabilidad de salto de directorio en admin/remote.php en EGroupware Enterprise Line (EPL) anteriores a v11.1.20110804-1 y EGroupware Community Edition anteriores a v1.8.001.20110805 permite a atacantes remotos leer ficheros de su elección mediante los caracteres ..%2f (punto punto barra, codificados) en el parámetro type. • http://comments.gmane.org/gmane.comp.web.egroupware.german/33144 http://packetstormsecurity.org/files/101676/eGroupware-1.8.001.20110421-Local-File-Inclusion.html http://www.autosectools.com/Advisory/eGroupware-1.8.001.20110421-Local-File-Inclusion-224 http://www.egroupware.org/changelog http://www.egroupware.org/epl-changelog http://www.openwall.com/lists/oss-security/2012/03/29/1 http://www.openwall.com/lists/oss-security/2012/03/30/3 http://www.securityfocus.com/bid/52770 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2CVE-2011-4950
https://notcve.org/view.php?id=CVE-2011-4950
Cross-site scripting (XSS) vulnerability in phpgwapi/js/jscalendar/test.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en phpgwapi/js/jscalendar/test.php en EGroupware Enterprise Line (EPL) anteriores a v11.1.20110804-1 y EGroupware Community Edition anteriores a v1.8.001.20110805 permite a atacantes remotos inyectar código web o HTML de su elección a través del parámetro lang. • http://comments.gmane.org/gmane.comp.web.egroupware.german/33144 http://packetstormsecurity.org/files/100180/eGroupware-1.8.001-Cross-Site-Scripting.html http://www.autosectools.com/Advisory/eGroupware-1.8.001-Reflected-Cross-site-Scripting-178 http://www.egroupware.org/changelog http://www.egroupware.org/epl-changelog http://www.openwall.com/lists/oss-security/2012/03/29/1 http://www.openwall.com/lists/oss-security/2012/03/30/3 http://www.securityfocus.com/bid/52770 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2012-2211 – Egroupware 1.8.002 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2012-2211
Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405 allows remote attackers to inject arbitrary web script or HTML via the menuaction parameter to etemplate/process_exec.php. NOTE: some of these details are obtained from third party information. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en phpgwapi/inc/common_functions_inc.php en eGroupware antes de v1.8.004.20120405 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro MenuAction a etemplate/process_exec.php. NOTA: algunos de estos detalles han sido obtenidos a partir de información de terceros. Egroupware version 1.8.002 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.org/files/111626/egroupware-xss.txt http://secunia.com/advisories/48703 http://www.egroupware.org/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •