PT-2004-2380 · Egroupware · Egroupware

Joxean Koret

Published

2004-12-31

Updated

2017-07-11

CVE-2004-1467

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions: eGroupWare versions 1.0.00.003 and earlier

Description: The issue allows remote attackers to inject arbitrary web script or HTML via several fields in different modules, including the calendar, address, message, and Ticket modules. Specifically, the vulnerable fields are:

date or search text field in the calendar module,
Field parameter, Filter parameter, QField parameter, Start parameter or Search field in the address module,
Subject field in the message module,
Subject field in the Ticket module.

Recommendations: For eGroupWare versions 1.0.00.003 and earlier, consider disabling the calendar, address, message, and Ticket modules until a patch is available. Restrict access to the vulnerable fields in these modules to minimize the risk of exploitation. Avoid using the specified fields in the affected modules until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2004-1467

Affected Products

Egroupware

PT-2004-2380 · Egroupware · Egroupware

CVE-2004-1467

Related Identifiers

Affected Products

References · 8