CVE-2014-2988

Exploit

EPSS 0.91%
Published 27.10.2014 01:55:24
Last modified 12.04.2025 10:46:40
Source cve@mitre.org
Teams watchlist Login
Open Login

EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987.

Affected products Warnungen 0 Metrics 2 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Egroupware ≫ Egroupware Version <= 1.6.001

Egroupware ≫ Egroupware SwEditioncommunity Version <= 1.8006

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.91%	0.736

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.5	6.8	10	AV:N/AC:M/Au:S/C:C/I:C/A:C

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://advisories.mageia.org/MGASA-2014-0221.html

http://www.mandriva.com/security/advisories?name=MDVSA-2015:087

http://www.securityfocus.com/archive/1/532103/100/0/threaded

https://www.htbridge.com/advisory/HTB23212

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2014-2988

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-2988

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-2988

EUVD