Vulnerabilities > Egroupware
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-07 | CVE-2024-40614 | Unspecified vulnerability in Egroupware EGroupware before 23.1.20240624 mishandles an ORDER BY clause. | 9.8 |
| 2023-10-26 | CVE-2023-38328 | Insufficiently Protected Credentials vulnerability in Egroupware 17.1.20190111 An issue was discovered in eGroupWare 17.1.20190111. | 4.9 |
| 2017-09-30 | CVE-2017-14920 | Cross-site Scripting vulnerability in Egroupware Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator. | 4.3 |
| 2015-03-31 | CVE-2014-2027 | Code Injection vulnerability in Egroupware 1.8.001.20110421/1.8.001.20110805 eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP object injection attacks, delete arbitrary files, and possibly execute arbitrary code via the (1) addr_fields or (2) trans parameter to addressbook/csv_import.php, (3) cal_fields or (4) trans parameter to calendar/csv_import.php, (5) info_fields or (6) trans parameter to csv_import.php in (a) projectmanager/ or (b) infolog/, or (7) processed parameter to preferences/inc/class.uiaclprefs.inc.php. | 7.5 |
| 2014-10-27 | CVE-2014-2988 | Code Injection vulnerability in Egroupware EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. | 8.5 |
| 2014-10-26 | CVE-2014-2987 | Cross-Site Request Forgery (CSRF) vulnerability in Egroupware Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an admin.uiaccounts.add_user action to index.php or (2) modify settings via the newsettings parameter in an admin.uiconfig.index action to index.php. | 6.8 |
| 2012-11-22 | CVE-2012-2211 | Cross-Site Scripting vulnerability in Egroupware 1.8.001.20110421/1.8.001.20110805 Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405 allows remote attackers to inject arbitrary web script or HTML via the menuaction parameter to etemplate/process_exec.php. | 4.3 |
| 2012-08-31 | CVE-2011-4951 | Input Validation vulnerability in eGroupware Open redirect vulnerability in phpgwapi/ntlm/index.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter. network egroupware | 5.8 |
| 2012-08-31 | CVE-2011-4950 | Cross-Site Scripting vulnerability in Egroupware and Egroupware Enterprise Line Cross-site scripting (XSS) vulnerability in phpgwapi/js/jscalendar/test.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. | 4.3 |
| 2012-08-31 | CVE-2011-4949 | SQL Injection vulnerability in Egroupware and Egroupware Enterprise Line SQL injection vulnerability in phpgwapi/js/dhtmlxtree/samples/with_db/loaddetails.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |