CVE-2014-2027

Name of the Vulnerable Software and Affected Versions eGroupware versions prior to 1.8.006.20140217

Description The issue allows remote attackers to conduct PHP object injection attacks, delete arbitrary files, and possibly execute arbitrary code. This can be achieved via several parameters to different PHP files, including addr fields or trans parameter to "addressbook/csv import.php", cal fields or trans parameter to "calendar/csv import.php", info fields or trans parameter to "csv import.php" in "projectmanager/" or "infolog/", or processed parameter to "preferences/inc/class.uiaclprefs.inc.php".

Recommendations For versions prior to 1.8.006.20140217, update to version 1.8.006.20140217 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable PHP files, such as "addressbook/csv import.php", "calendar/csv import.php", "csv import.php" in "projectmanager/" or "infolog/", and "preferences/inc/class.uiaclprefs.inc.php", until a patch is applied. Avoid using the addr fields, trans, cal fields, info fields, and processed parameters in the affected API endpoints until the issue is resolved.