CVE-2014-2988 Information

Description

EGroupware Enterprise Line (EPL) before 1.1.20140505 EGroupware Community Edition before 1.8.007.20140506 and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987.

Reference

http://advisories.mageia.org/MGASA-2014-0221.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:087 http://www.securityfocus.com/archive/1/532103/100/0/threaded https://www.htbridge.com/advisory/HTB23212