CVE-2014-2988: Code Injection
First published: Mon Oct 27 2014(Updated: )
EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Allegro | <=1.6.001 | |
| Allegro | <=1.8006 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-2988?
CVE-2014-2988 has a high severity rating due to the potential for remote code execution by authenticated users.
How do I fix CVE-2014-2988?
To mitigate CVE-2014-2988, upgrade to EGroupware Enterprise Line version 1.1.20140505 or later, or EGroupware Community Edition version 1.8.007.20140506 or later.
Who is affected by CVE-2014-2988?
CVE-2014-2988 affects users of EGroupware versions before 1.1.20140505 and EGroupware Community Edition before 1.8.007.20140506.
What type of vulnerability is CVE-2014-2988?
CVE-2014-2988 is classified as a remote code execution vulnerability.
Can CVE-2014-2988 be exploited remotely?
Yes, CVE-2014-2988 can be exploited by remote authenticated administrators, allowing them to execute arbitrary PHP code.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/egroupware
- canonical/allegro
- version/allegro/1.6.001
- version/allegro/1.8006