EGroupware Multiple Vulnerabilities Network Vulnerability

Summary

EGroupware is prone to multiple vulnerabilities. 1. Cross-site scripting (XSS) vulnerability in login.php in EGroupware 1.4.001+.002 1.6.001+.002 and possibly other versions before 1.6.003 and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. 2. phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002 1.6.001+.002 and possibly other versions before 1.6.003 and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.

Solution

Vendor updates are available. Please see the references for details.

References

http://www.egroupware.org/news?item=93

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-3313, CVE-2010-3314
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

AIOCP 'cp_html2xhtmlbasic.php' Remote File Inclusion Vulnerability
Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities
A-Blog 'sources/search.php' SQL Injection Vulnerability
Adobe ColdFusion Directory Traversal Vulnerability
Adobe ColdFusion Components (CFC) Denial Of Service Vulnerability

EGroupware multiple vulnerabilities

Take action and discover your vulnerabilities