Vulnerability CVE-2014-2988
Published: 2014-10-26   Modified: 2014-10-27

Description:
EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987.

See advisories in our WLB2 database:
Topic
Author
Date
High
EGroupware 1.8.006 Cross Site Request Forgery / Code Injection
High-Tech Bridge...
16.05.2014

Type:

CWE-94

 (Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:M/Au:S/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
8.5/10
10/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Egroupware -> Egroupware 

 References:
http://advisories.mageia.org/MGASA-2014-0221.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:087
http://www.securityfocus.com/archive/1/532103/100/0/threaded
https://www.htbridge.com/advisory/HTB23212
Copyright 2024, cxsecurity.com

 

Back to Top