Vulnerabilities > Egroupware > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-26 | CVE-2023-38328 | Insufficiently Protected Credentials vulnerability in Egroupware 17.1.20190111 An issue was discovered in eGroupWare 17.1.20190111. | 4.9 |
| 2017-09-30 | CVE-2017-14920 | Cross-site Scripting vulnerability in Egroupware Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator. | 4.3 |
| 2014-10-26 | CVE-2014-2987 | Cross-Site Request Forgery (CSRF) vulnerability in Egroupware Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an admin.uiaccounts.add_user action to index.php or (2) modify settings via the newsettings parameter in an admin.uiconfig.index action to index.php. | 6.8 |
| 2012-11-22 | CVE-2012-2211 | Cross-Site Scripting vulnerability in Egroupware 1.8.001.20110421/1.8.001.20110805 Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405 allows remote attackers to inject arbitrary web script or HTML via the menuaction parameter to etemplate/process_exec.php. | 4.3 |
| 2012-08-31 | CVE-2011-4951 | Input Validation vulnerability in eGroupware Open redirect vulnerability in phpgwapi/ntlm/index.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter. network egroupware | 5.8 |
| 2012-08-31 | CVE-2011-4950 | Cross-Site Scripting vulnerability in Egroupware and Egroupware Enterprise Line Cross-site scripting (XSS) vulnerability in phpgwapi/js/jscalendar/test.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. | 4.3 |
| 2012-08-31 | CVE-2011-4948 | Path Traversal vulnerability in Egroupware and Egroupware Enterprise Line Directory traversal vulnerability in admin/remote.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to read arbitrary files via a ..%2f (encoded dot dot slash) in the type parameter. | 5.0 |
| 2010-09-22 | CVE-2010-3314 | Cross-Site Scripting vulnerability in Egroupware Cross-site scripting (XSS) vulnerability in login.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to inject arbitrary web script or HTML via the lang parameter. | 4.3 |
| 2008-03-25 | CVE-2008-1502 | Cross-Site Scripting vulnerability in multiple products The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols. | 4.3 |
| 2007-09-26 | CVE-2007-5091 | Cross-Site Scripting vulnerability in Egroupware 1.4.001 Multiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.4.001 allow remote attackers to inject arbitrary web script or HTML via the cat_data[color] parameter to (1) preferences/inc/class.uicategories.inc.php and (2) admin/inc/class.uicategories.inc.php. | 4.3 |