PT-2014-5005 · Egroupware+1 · Egroupware Enterprise Line+3
Publicado
2014-10-27
·
Atualizado
2018-10-09
·
CVE-2014-2988
CVSS v2.0
8.5
Alta
| Vetor | AV:N/AC:M/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
EGroupware Enterprise Line (EPL) versions prior to 1.1.20140505
EGroupware Community Edition versions prior to 1.8.007.20140506
EGroupware versions prior to 14.1 beta
Description
The issue allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the
call user func PHP function. This can be achieved by exploiting the newsettings[system] parameter.Recommendations
For EGroupware Enterprise Line (EPL) versions prior to 1.1.20140505, update to version 1.1.20140505 or later.
For EGroupware Community Edition versions prior to 1.8.007.20140506, update to version 1.8.007.20140506 or later.
For EGroupware versions prior to 14.1 beta, update to version 14.1 beta or later.
Exploit
Correção
Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Egroupware
Egroupware Community Edition
Egroupware Enterprise Line
Php