Vulnerabilities > Egroupware

DATE CVE VULNERABILITY TITLE RISK
2023-10-26 CVE-2023-38328 Insufficiently Protected Credentials vulnerability in Egroupware 17.1.20190111
An issue was discovered in eGroupWare 17.1.20190111.
network
low complexity
egroupware CWE-522
4.9
2017-09-30 CVE-2017-14920 Cross-site Scripting vulnerability in Egroupware
Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator.
network
egroupware CWE-79
4.3
2015-03-31 CVE-2014-2027 Code Injection vulnerability in Egroupware 1.8.001.20110421/1.8.001.20110805
eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP object injection attacks, delete arbitrary files, and possibly execute arbitrary code via the (1) addr_fields or (2) trans parameter to addressbook/csv_import.php, (3) cal_fields or (4) trans parameter to calendar/csv_import.php, (5) info_fields or (6) trans parameter to csv_import.php in (a) projectmanager/ or (b) infolog/, or (7) processed parameter to preferences/inc/class.uiaclprefs.inc.php.
network
low complexity
egroupware CWE-94
7.5
2014-10-27 CVE-2014-2988 Code Injection vulnerability in Egroupware
EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter.
network
egroupware CWE-94
8.5
2014-10-26 CVE-2014-2987 Cross-Site Request Forgery (CSRF) vulnerability in Egroupware
Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an admin.uiaccounts.add_user action to index.php or (2) modify settings via the newsettings parameter in an admin.uiconfig.index action to index.php.
6.8
2012-11-22 CVE-2012-2211 Cross-Site Scripting vulnerability in Egroupware 1.8.001.20110421/1.8.001.20110805
Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405 allows remote attackers to inject arbitrary web script or HTML via the menuaction parameter to etemplate/process_exec.php.
network
egroupware CWE-79
4.3
2012-08-31 CVE-2011-4951 Input Validation vulnerability in eGroupware
Open redirect vulnerability in phpgwapi/ntlm/index.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter.
network
egroupware
5.8
2012-08-31 CVE-2011-4950 Cross-Site Scripting vulnerability in Egroupware and Egroupware Enterprise Line
Cross-site scripting (XSS) vulnerability in phpgwapi/js/jscalendar/test.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
network
egroupware CWE-79
4.3
2012-08-31 CVE-2011-4949 SQL Injection vulnerability in Egroupware and Egroupware Enterprise Line
SQL injection vulnerability in phpgwapi/js/dhtmlxtree/samples/with_db/loaddetails.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to execute arbitrary SQL commands via the id parameter.
network
low complexity
egroupware CWE-89
7.5
2012-08-31 CVE-2011-4948 Path Traversal vulnerability in Egroupware and Egroupware Enterprise Line
Directory traversal vulnerability in admin/remote.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to read arbitrary files via a ..%2f (encoded dot dot slash) in the type parameter.
network
low complexity
egroupware CWE-22
5.0