CVE-2014-2987

Name of the Vulnerable Software and Affected Versions EGroupware Enterprise Line (EPL) versions prior to 1.1.20140505 EGroupware Community Edition versions prior to 1.8.007.20140506 EGroupware versions prior to 14.1 beta

Description The issue allows remote attackers to hijack the authentication of administrators for requests. This can be achieved through two vectors: (1) creating an administrator user via an admin.uiaccounts.add user action to "index.php" or (2) modifying settings via the newsettings parameter in an admin.uiconfig.index action to "index.php". The second vector can be used to execute arbitrary PHP code.

Recommendations For EGroupware Enterprise Line (EPL) versions prior to 1.1.20140505, update to version 1.1.20140505 or later. For EGroupware Community Edition versions prior to 1.8.007.20140506, update to version 1.8.007.20140506 or later. For EGroupware versions prior to 14.1 beta, update to version 14.1 beta or later. As a temporary workaround, consider restricting access to the admin.uiaccounts.add user and admin.uiconfig.index actions in "index.php" to minimize the risk of exploitation.