CVE-2024-40614: SQL Injection
First published: Sun Jul 07 2024(Updated: )
EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajax_get_rows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/egroupware/egroupware | <23.1.20240624 | 23.1.20240624 |
| Allegro | <23.1.20240624 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://syss.de
- https://github.com/EGroupware/egroupware/releases/tag/23.1.20240624
- https://help.egroupware.org/t/egroupware-maintenance-security-release-23-1-20240624/78438
- https://github.com/EGroupware/egroupware/compare/23.1.20240430...23.1.20240624
- https://github.com/EGroupware/egroupware/commit/553829d30cc2ccdc0e5a8c5a0e16fa03a3399a3f
- https://nvd.nist.gov/vuln/detail/CVE-2024-40614
- https://github.com/advisories/GHSA-phg7-8mm9-gj88 (Advisory)
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-047.txt
- https://www.syss.de/pentest-blog/sql-injection-schwachstelle-in-egroupware-syss-2024-047
Frequently Asked Questions
What is the severity of CVE-2024-40614?
CVE-2024-40614 is a high-severity SQL injection vulnerability affecting EGroupware.
How do I fix CVE-2024-40614?
To fix CVE-2024-40614, upgrade EGroupware to version 23.1.20240624 or later.
Who is affected by CVE-2024-40614?
Authenticated users of EGroupware versions before 23.1.20240624 are affected by CVE-2024-40614.
What type of vulnerability is CVE-2024-40614?
CVE-2024-40614 is classified as an SQL injection vulnerability.
What functionality does CVE-2024-40614 impact?
CVE-2024-40614 impacts the sorting functionality for the Address Book and InfoLog features in EGroupware.
- agent/type
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/softwarecombine
- agent/references
- agent/weakness
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-phg7-8mm9-gj88
- alias/CVE-2024-40614
- agent/software-canonical-lookup
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/composer
- vendor/egroupware
- canonical/allegro