PT-2014-5005 · Egroupware+1 · Egroupware Enterprise Line+3

Published

2014-10-27

Updated

2018-10-09

CVE-2014-2988

CVSS v2.0

8.5

High

Vector

AV:N/AC:M/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions EGroupware Enterprise Line (EPL) versions prior to 1.1.20140505 EGroupware Community Edition versions prior to 1.8.007.20140506 EGroupware versions prior to 14.1 beta

Description The issue allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call user func PHP function. This can be achieved by exploiting the newsettings[system] parameter.

Recommendations For EGroupware Enterprise Line (EPL) versions prior to 1.1.20140505, update to version 1.1.20140505 or later. For EGroupware Community Edition versions prior to 1.8.007.20140506, update to version 1.8.007.20140506 or later. For EGroupware versions prior to 14.1 beta, update to version 14.1 beta or later.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2014-2988

Affected Products

Egroupware

Egroupware Community Edition

Egroupware Enterprise Line

Php

PT-2014-5005 · Egroupware+1 · Egroupware Enterprise Line+3

CVE-2014-2988

Weakness Enumeration

Related Identifiers

Affected Products

References · 6