Summary
EGroupware is prone to multiple vulnerabilities.
1. Cross-site scripting (XSS) vulnerability in login.php in EGroupware 1.4.001+.002
1.6.001+.002 and possibly other versions before 1.6.003
and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309 allows
remote attackers to inject arbitrary web script or HTML via the lang parameter.
2. phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002
1.6.001+.002 and possibly other versions
before 1.6.003
and EPL 9.1 before 9.1.20100309 and 9.2 before
9.2.20100309
allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.
Solution
Vendor updates are available. Please see the references for details.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2010-3313, CVE-2010-3314 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache Tomcat /servlet Cross Site Scripting
- Ad Manager Pro Multiple SQL Injection And XSS Vulnerabilities
- Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities
- Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution
- AVTECH DVR Multiple Vulnerabilities