Summary
EGroupware is prone to multiple vulnerabilities.
1. Cross-site scripting (XSS) vulnerability in login.php in EGroupware 1.4.001+.002
1.6.001+.002 and possibly other versions before 1.6.003
and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309 allows
remote attackers to inject arbitrary web script or HTML via the lang parameter.
2. phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002
1.6.001+.002 and possibly other versions
before 1.6.003
and EPL 9.1 before 9.1.20100309 and 9.2 before
9.2.20100309
allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.
Solution
Vendor updates are available. Please see the references for details.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2010-3313, CVE-2010-3314 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- ActivePerl perlIS.dll Buffer Overflow
- Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability
- AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities
- Acute Control Panel SQL Injection Vulnerability and Remote File Include Vulnerability
- AproxEngine Multiple Remote Input Validation Vulnerabilities