CVE-2010-3313

Name of the Vulnerable Software and Affected Versions EGroupware versions 1.4.001+.002 through 1.6.001+.002 EGroupware version 1.6.003 and earlier EPL versions 9.1 through 9.1.20100308 EPL versions 9.2 through 9.2.20100308

Description The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the aspell path or spellchecker lang parameters. This can be exploited by sending malicious input to the spellchecker functionality.

Recommendations For EGroupware versions 1.4.001+.002 through 1.6.001+.002, update to version 1.6.003 or later. For EGroupware version 1.6.003 and earlier, update to version 1.6.003 or later. For EPL versions 9.1 through 9.1.20100308, update to version 9.1.20100309 or later. For EPL versions 9.2 through 9.2.20100308, update to version 9.2.20100309 or later. As a temporary workaround, consider restricting access to the spellchecker functionality until a patch is available. Avoid using the aspell path and spellchecker lang parameters in the affected spellchecker functionality until the issue is resolved.