CVE-2014-2988

Exploit

EPSS 0.91%
Veröffentlicht 27.10.2014 01:55:24
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Egroupware ≫ Egroupware Version <= 1.6.001

Egroupware ≫ Egroupware SwEditioncommunity Version <= 1.8006

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.91%	0.736

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.5	6.8	10	AV:N/AC:M/Au:S/C:C/I:C/A:C

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://advisories.mageia.org/MGASA-2014-0221.html

http://www.mandriva.com/security/advisories?name=MDVSA-2015:087

http://www.securityfocus.com/archive/1/532103/100/0/threaded

https://www.htbridge.com/advisory/HTB23212

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2014-2988

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-2988

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-2988

EUVD