Summary
eGroupware is prone to a cross-site scripting vulnerability and to a SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Exploiting the SQL-injection issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
eGroupware 1.8.001 is vulnerable
other versions may also be affected.
References