Remote Code Execution Vulnerability in EGroupware
CVE-2014-2988

Currently unrated

Key Information:

Vendor: Egroupware
Status: Egroupware
Vendor: CVE Published:; 27 October 2014

What is CVE-2014-2988?

EGroupware versions prior to 1.1.20140505 for the Enterprise Line and prior to 1.8.007.20140506 for the Community Edition are susceptible to a remote code execution vulnerability. Privileged authenticated administrators are able to execute arbitrary PHP code through manipulated callback values delivered to the call_user_func PHP function, particularly utilizing the newsettings[system] parameter. This vulnerability can be exploited when combined with CVE-2014-2987, allowing attackers to gain unauthorized access and control over the server.

References

http://advisories.mageia.org/MGASA-2014-0221.html

x_refsource_CONFIRM

http://www.mandriva.com/security/advisories?name=MDVSA-20...

vendor-advisoryx_refsource_MANDRIVA

https://www.htbridge.com/advisory/HTB23212

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 27, 2014
Vulnerability Reserved
Apr 24, 2014

Egroupware

What is CVE-2014-2988?

References

Timeline