EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php?menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajax_get_rows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2024-07-07T00:00:00
Updated: 2024-08-02T04:33:11.805Z
Reserved: 2024-07-07T00:00:00
Link: CVE-2024-40614
Vulnrichment
Updated: 2024-07-22T19:57:11.721Z
NVD
Status : Modified
Published: 2024-07-07T15:15:09.923
Modified: 2024-07-10T13:15:10.833
Link: CVE-2024-40614
Redhat
No data.