PHP Object Injection Vulnerability in eGroupware by eGroupWare GmbH
CVE-2014-2027

Currently unrated

Key Information:

Vendor: Egroupware
Status: Egroupware
Vendor: CVE Published:; 31 March 2015

What is CVE-2014-2027?

The vulnerability in eGroupware enables remote attackers to exploit PHP object injection through vulnerabilities in several parameters of the csv_import.php scripts. This can lead to unauthorized file deletion and potential execution of arbitrary code. The affected product versions do not sufficiently validate input parameters, particularly in the addr_fields or trans parameters for addressbook, cal_fields or trans for calendar functionalities, and in other contexts involving projectmanager and infolog. Regular updates and security patches are highly recommended to mitigate the risk associated with these vulnerabilities.

References

http://www.mandriva.com/security/advisories?name=MDVSA-20...

vendor-advisoryx_refsource_MANDRIVA

http://openwall.com/lists/oss-security/2014/02/19/4

mailing-listx_refsource_MLIST

http://openwall.com/lists/oss-security/2014/02/19/10

mailing-listx_refsource_MLIST

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2015
Vulnerability Reserved
Feb 19, 2014

Egroupware

What is CVE-2014-2027?

References

Timeline