GHSA-phg7-8mm9-gj88

Suggest an improvement
Source
https://github.com/advisories/GHSA-phg7-8mm9-gj88
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-phg7-8mm9-gj88/GHSA-phg7-8mm9-gj88.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-phg7-8mm9-gj88
Aliases
Published
2024-07-07T15:31:12Z
Modified
2024-11-28T05:42:46.420324Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
EGroupware mishandles an ORDER BY clause
Details

EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajaxgetrows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting.

Database specific
{
    "nvd_published_at": "2024-07-07T15:15:09Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-08T15:00:36Z"
}
References

Affected packages

Packagist / egroupware/egroupware

Package

Name
egroupware/egroupware
Purl
pkg:composer/egroupware/egroupware

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
23.1.20240624

Affected versions

14.*

14.2.20150121
14.2.20150206
14.2.20150210
14.2.20150212
14.2.20150218
14.2.20150310
14.2.20150402
14.2.20150421
14.2.20150428
14.2.20150429
14.2.20150501
14.2.20150603
14.2.20150707
14.2.20150717
14.3.20150728
14.3.20150729
14.3.20150811
14.3.20150821
14.3.20150826
14.3.20150908
14.3.20151012
14.3.20151027
14.3.20151028
14.3.20151029
14.3.20151030
14.3.20151110
14.3.20151130
14.3.20151201
14.3.20160112
14.3.20160113
14.3.20160304
14.3.20160428
14.3.20160512
14.3.20160522
14.3.20160524
14.3.20160525
14.3.20160708

16.*

16.1.20160603
16.1.20160621
16.1.20160627
16.1.20160630
16.1.20160708
16.1.20160715
16.1.20160801
16.1.20160810
16.1.20160905
16.1.20161006
16.1.20161102
16.1.20161107
16.1.20161208
16.1.20170118
16.1.20170203
16.1.20170315
16.1.20170415
16.1.20170612
16.1.20170613
16.1.20170703
16.1.20170922
16.1.20171106
16.1.20180116
16.1.20180130

17.*

17.1.20171023
17.1.20171106
17.1.20171115
17.1.20171129
17.1.20171130
17.1.20171218
17.1.20180118
17.1.20180130
17.1.20180209
17.1.20180321
17.1.20180413
17.1.20180523
17.1.20180625
17.1.20180720
17.1.20180831
17.1.20181018
17.1.20181204
17.1.20181205
17.1.20190111
17.1.20190214
17.1.20190222
17.1.20190402
17.1.20190529
17.1.20190808

19.*

19.1.20190716
19.1.20190717
19.1.20190726
19.1.20190806
19.1.20190813
19.1.20190822
19.1.20190917
19.1.20190925
19.1.20191031
19.1.20191119
19.1.20191220
19.1.20200130
19.1.20200318
19.1.20200409
19.1.20200430
19.1.20200605
19.1.20200701

20.*

20.1.20200525
20.1.20200613
20.1.20200628
20.1.20200710
20.1.20200716
20.1.20200728
20.1.20200731
20.1.20200810
20.1.20200812
20.1.20200818
20.1.20200901
20.1.20200914
20.1.20201005
20.1.20201020
20.1.20201028
20.1.20201202
20.1.20201217
20.1.20210125
20.1.20210324
20.1.20210503

21.*

21.1.20210318
21.1.20210329
21.1.20210406
21.1.20210420
21.1.20210504
21.1.20210521
21.1.20210629
21.1.20210723
21.1.20210923
21.1.20211130
21.1.20220207
21.1.20220406
21.1.20220408
21.1.20220905
21.1.20220916
21.1.20221202
21.1.20230210

22.*

22.1.20220920

23.*

23.1.20230110
23.1.20230114
23.1.20230125
23.1.20230210
23.1.20230228
23.1.20230314
23.1.20230328
23.1.20230412
23.1.20230428
23.1.20230503
23.1.20230524
23.1.20230620
23.1.20230726
23.1.20230728
23.1.20230824
23.1.20230911
23.1.20231110
23.1.20231122
23.1.20231129
23.1.20231201
23.1.20231219
23.1.20231220
23.1.20240125
23.1.20240304
23.1.20240430