CVE-2014-2987 Information
Description
Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505 EGroupware Community Edition before 1.8.007.20140506 and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an admin.uiaccounts.add_user action to index.php or (2) modify settings via the newsettings parameter in an admin.uiconfig.index action to index.php. NOTE: vector 2 can be used to execute arbitrary PHP code by leveraging CVE-2014-2988.
Reference
http://advisories.mageia.org/MGASA-2014-0221.html http://secunia.com/advisories/58346 http://www.egroupware.org/changelog http://www.egroupware.org/forumnabble-td3997580 http://www.mandriva.com/security/advisories?name=MDVSA-2015:087 http://www.securityfocus.com/archive/1/532103/100/0/threaded https://www.htbridge.com/advisory/HTB23212
Share on: