Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1waGc3LThtbTktZ2o4OM4AA9ne
EGroupware mishandles an ORDER BY clause
EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajax_get_rows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting.
Permalink: https://github.com/advisories/GHSA-phg7-8mm9-gj88JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1waGc3LThtbTktZ2o4OM4AA9ne
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 5 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-phg7-8mm9-gj88, CVE-2024-40614
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-40614
- https://github.com/EGroupware/egroupware/commit/553829d30cc2ccdc0e5a8c5a0e16fa03a3399a3f
- https://github.com/EGroupware/egroupware/compare/23.1.20240430...23.1.20240624
- https://github.com/EGroupware/egroupware/releases/tag/23.1.20240624
- https://help.egroupware.org/t/egroupware-maintenance-security-release-23-1-20240624/78438
- https://syss.de
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-047.txt
- https://www.syss.de/pentest-blog/sql-injection-schwachstelle-in-egroupware-syss-2024-047
- https://github.com/advisories/GHSA-phg7-8mm9-gj88
Blast Radius: 5.9
Affected Packages
packagist:egroupware/egroupware
Dependent packages: 10Dependent repositories: 8
Downloads: 1,187 total
Affected Version Ranges: < 23.1.20240624
Fixed in: 23.1.20240624
All affected versions: 14.2.20150121, 14.2.20150206, 14.2.20150210, 14.2.20150212, 14.2.20150218, 14.2.20150310, 14.2.20150402, 14.2.20150421, 14.2.20150428, 14.2.20150429, 14.2.20150501, 14.2.20150603, 14.2.20150707, 14.2.20150717, 14.3.20150728, 14.3.20150729, 14.3.20150811, 14.3.20150821, 14.3.20150826, 14.3.20150908, 14.3.20151012, 14.3.20151027, 14.3.20151028, 14.3.20151029, 14.3.20151030, 14.3.20151110, 14.3.20151130, 14.3.20151201, 14.3.20160112, 14.3.20160113, 14.3.20160304, 14.3.20160428, 14.3.20160512, 14.3.20160522, 14.3.20160524, 14.3.20160525, 14.3.20160708, 16.1.20160603, 16.1.20160621, 16.1.20160627, 16.1.20160630, 16.1.20160708, 16.1.20160715, 16.1.20160801, 16.1.20160810, 16.1.20160905, 16.1.20161006, 16.1.20161102, 16.1.20161107, 16.1.20161208, 16.1.20170118, 16.1.20170203, 16.1.20170315, 16.1.20170415, 16.1.20170612, 16.1.20170613, 16.1.20170703, 16.1.20170922, 16.1.20171106, 16.1.20180116, 16.1.20180130, 17.1.20171023, 17.1.20171106, 17.1.20171115, 17.1.20171129, 17.1.20171130, 17.1.20171218, 17.1.20180118, 17.1.20180130, 17.1.20180209, 17.1.20180321, 17.1.20180413, 17.1.20180523, 17.1.20180625, 17.1.20180720, 17.1.20180831, 17.1.20181018, 17.1.20181204, 17.1.20181205, 17.1.20190111, 17.1.20190214, 17.1.20190222, 17.1.20190402, 17.1.20190529, 17.1.20190808, 19.1.20190716, 19.1.20190717, 19.1.20190726, 19.1.20190806, 19.1.20190813, 19.1.20190822, 19.1.20190917, 19.1.20190925, 19.1.20191031, 19.1.20191119, 19.1.20191220, 19.1.20200130, 19.1.20200318, 19.1.20200409, 19.1.20200430, 19.1.20200605, 19.1.20200701, 20.1.20200525, 20.1.20200613, 20.1.20200628, 20.1.20200710, 20.1.20200716, 20.1.20200728, 20.1.20200731, 20.1.20200810, 20.1.20200812, 20.1.20200818, 20.1.20200901, 20.1.20200914, 20.1.20201005, 20.1.20201020, 20.1.20201028, 20.1.20201202, 20.1.20201217, 20.1.20210125, 20.1.20210324, 20.1.20210503, 21.1.20210318, 21.1.20210329, 21.1.20210406, 21.1.20210420, 21.1.20210504, 21.1.20210521, 21.1.20210629, 21.1.20210723, 21.1.20210923, 21.1.20211130, 21.1.20220207, 21.1.20220406, 21.1.20220408, 21.1.20220905, 21.1.20220916, 21.1.20221202, 21.1.20230210, 22.1.20220920, 23.1.20230110, 23.1.20230114, 23.1.20230125, 23.1.20230210, 23.1.20230228, 23.1.20230314, 23.1.20230328, 23.1.20230412, 23.1.20230428, 23.1.20230503, 23.1.20230524, 23.1.20230620, 23.1.20230726, 23.1.20230728, 23.1.20230824, 23.1.20230911, 23.1.20231110, 23.1.20231122, 23.1.20231129, 23.1.20231201, 23.1.20231219, 23.1.20231220, 23.1.20240125, 23.1.20240304, 23.1.20240430
All unaffected versions: 23.1.20240624, 23.1.20240905, 23.1.20240930, 23.1.20241008, 23.1.20241111