CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40614
https://notcve.org/view.php?id=CVE-2024-40614
07 Jul 2024 — EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php?menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajax_get_rows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting. EGroupware anterior al 23.1.20240624 maneja mal una cláusula ORDER BY. • https://github.com/EGroupware/egroupware/commit/553829d30cc2ccdc0e5a8c5a0e16fa03a3399a3f • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2017-14920
https://notcve.org/view.php?id=CVE-2017-14920
29 Sep 2017 — Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator. Una vulnerabilidad de Cross-Site Scripting (XSS) persistente en las versiones anteriores a 16.1.20170922 de eGroupware Community Edition permite que un atacante remoto sin autenticar inyecte código JavaScript mediante la cabecera HTTP User-Agent, la cual no se gestion... • http://openwall.com/lists/oss-security/2017/09/28/12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 3%CPEs: 2EXPL: 3CVE-2014-2987 – eGroupWare 1.8.006 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-2987
16 May 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an admin.uiaccounts.add_user action to index.php or (2) modify settings via the newsettings parameter in an admin.uiconfig.index action to index.php. NOTE: vector 2 can be used to execu... • https://packetstorm.news/files/id/126643 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 2CVE-2014-2988 – EGroupware 1.8.006 Cross Site Request Forgery / Code Injection
https://notcve.org/view.php?id=CVE-2014-2988
16 May 2014 — EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987. EGroupware Enterprise Line (EPL) anterior a 1.1.20140505, EGroupware Community Edition anterior a 1.8... • https://packetstorm.news/files/id/126643 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 1CVE-2014-2027 – Egroupware 1.8.005 PHP Object Insertion
https://notcve.org/view.php?id=CVE-2014-2027
21 Feb 2014 — eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP object injection attacks, delete arbitrary files, and possibly execute arbitrary code via the (1) addr_fields or (2) trans parameter to addressbook/csv_import.php, (3) cal_fields or (4) trans parameter to calendar/csv_import.php, (5) info_fields or (6) trans parameter to csv_import.php in (a) projectmanager/ or (b) infolog/, or (7) processed parameter to preferences/inc/class.uiaclprefs.inc.php. eGroupware anterior a 1.8.006.20140217 ... • https://packetstorm.news/files/id/125327 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2012-2211
https://notcve.org/view.php?id=CVE-2012-2211
22 Nov 2012 — Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405 allows remote attackers to inject arbitrary web script or HTML via the menuaction parameter to etemplate/process_exec.php. NOTE: some of these details are obtained from third party information. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en phpgwapi/inc/common_functions_inc.php en eGroupware antes de v1.8.004.20120405 permite a atacantes remotos inyectar ... • http://packetstormsecurity.org/files/111626/egroupware-xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2011-4948
https://notcve.org/view.php?id=CVE-2011-4948
31 Aug 2012 — Directory traversal vulnerability in admin/remote.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to read arbitrary files via a ..%2f (encoded dot dot slash) in the type parameter. Vulnerabilidad de salto de directorio en admin/remote.php en EGroupware Enterprise Line (EPL) anteriores a v11.1.20110804-1 y EGroupware Community Edition anteriores a v1.8.001.20110805 permite a atacantes remotos leer ficheros de su e... • http://comments.gmane.org/gmane.comp.web.egroupware.german/33144 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2011-4949
https://notcve.org/view.php?id=CVE-2011-4949
31 Aug 2012 — SQL injection vulnerability in phpgwapi/js/dhtmlxtree/samples/with_db/loaddetails.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to execute arbitrary SQL commands via the id parameter. Vulnerabilidad de inyección SQL en phpgwapi/js/dhtmlxtree/samples/with_db/loaddetails.php en EGroupware Enterprise Line (EPL) anteriores a v11.1.20110804-1 y EGroupware Community Edition anteriores a v1.8.001.20110805 permite a at... • http://comments.gmane.org/gmane.comp.web.egroupware.german/33144 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2011-4950
https://notcve.org/view.php?id=CVE-2011-4950
31 Aug 2012 — Cross-site scripting (XSS) vulnerability in phpgwapi/js/jscalendar/test.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en phpgwapi/js/jscalendar/test.php en EGroupware Enterprise Line (EPL) anteriores a v11.1.20110804-1 y EGroupware Community Edition anteriores a v1.8.001.20110805 permi... • http://comments.gmane.org/gmane.comp.web.egroupware.german/33144 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2011-4951
https://notcve.org/view.php?id=CVE-2011-4951
31 Aug 2012 — Open redirect vulnerability in phpgwapi/ntlm/index.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter. Vulnerabilidad de redirección abierta en phpgwapi/ntlm/index.php de EGroupware Enterprise Line (EPL) anteriores a v11.1.20110804-1 y EGroupware Community Edition anteriores a v1.8.001.20110805 permite a atacante... • http://comments.gmane.org/gmane.comp.web.egroupware.german/33144 •