Vulnerability Details CVE-2024-40614
EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php?menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajax_get_rows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 28.6%
CVSS Severity
CVSS v3 Score 9.8
References
- https://github.com/EGroupware/egroupware/commit/553829d30cc2ccdc0e5a8c5a0e16fa03a3399a3f
- https://github.com/EGroupware/egroupware/compare/23.1.20240430...23.1.20240624
- https://github.com/EGroupware/egroupware/releases/tag/23.1.20240624
- https://help.egroupware.org/t/egroupware-maintenance-security-release-23-1-20240624/78438
- https://syss.de
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-047.txt
- https://www.syss.de/pentest-blog/sql-injection-schwachstelle-in-egroupware-syss-2024-047
- https://github.com/EGroupware/egroupware/commit/553829d30cc2ccdc0e5a8c5a0e16fa03a3399a3f
- https://github.com/EGroupware/egroupware/compare/23.1.20240430...23.1.20240624
- https://github.com/EGroupware/egroupware/releases/tag/23.1.20240624
- https://help.egroupware.org/t/egroupware-maintenance-security-release-23-1-20240624/78438
- https://syss.de
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-047.txt
- https://www.syss.de/pentest-blog/sql-injection-schwachstelle-in-egroupware-syss-2024-047
Products affected by CVE-2024-40614
-
cpe:2.3:a:egroupware:egroupware:-
-
cpe:2.3:a:egroupware:egroupware:1.8.001.20110421
-
cpe:2.3:a:egroupware:egroupware:1.8.001.20110805
-
cpe:2.3:a:egroupware:egroupware:14.1.20140417
-
cpe:2.3:a:egroupware:egroupware:14.1.20140419
-
cpe:2.3:a:egroupware:egroupware:14.1.20140424
-
cpe:2.3:a:egroupware:egroupware:14.1.20140425
-
cpe:2.3:a:egroupware:egroupware:14.1.20140429
-
cpe:2.3:a:egroupware:egroupware:14.1.20140512
-
cpe:2.3:a:egroupware:egroupware:14.1.20140514
-
cpe:2.3:a:egroupware:egroupware:14.1.20140617
-
cpe:2.3:a:egroupware:egroupware:14.1.20140627
-
cpe:2.3:a:egroupware:egroupware:14.1.20140630
-
cpe:2.3:a:egroupware:egroupware:14.1.20140708
-
cpe:2.3:a:egroupware:egroupware:14.1.20140710
-
cpe:2.3:a:egroupware:egroupware:14.1.20140714
-
cpe:2.3:a:egroupware:egroupware:14.1.20140724
-
cpe:2.3:a:egroupware:egroupware:14.1.20140725
-
cpe:2.3:a:egroupware:egroupware:14.1.20140731
-
cpe:2.3:a:egroupware:egroupware:14.1.20140812
-
cpe:2.3:a:egroupware:egroupware:14.1.20140827
-
cpe:2.3:a:egroupware:egroupware:14.1.20140828
-
cpe:2.3:a:egroupware:egroupware:14.1.20140902
-
cpe:2.3:a:egroupware:egroupware:14.1.20140903
-
cpe:2.3:a:egroupware:egroupware:14.1.20140909
-
cpe:2.3:a:egroupware:egroupware:14.1.20140910
-
cpe:2.3:a:egroupware:egroupware:14.1.20140923
-
cpe:2.3:a:egroupware:egroupware:14.1.20141001
-
cpe:2.3:a:egroupware:egroupware:14.1.20141002
-
cpe:2.3:a:egroupware:egroupware:14.1.20141007
-
cpe:2.3:a:egroupware:egroupware:14.1.20141010
-
cpe:2.3:a:egroupware:egroupware:14.1.20141021
-
cpe:2.3:a:egroupware:egroupware:14.1.20141106
-
cpe:2.3:a:egroupware:egroupware:14.1.20141112
-
cpe:2.3:a:egroupware:egroupware:14.1.20141113
-
cpe:2.3:a:egroupware:egroupware:14.1.20141205
-
cpe:2.3:a:egroupware:egroupware:14.1.20141219
-
cpe:2.3:a:egroupware:egroupware:14.1.20150113
-
cpe:2.3:a:egroupware:egroupware:14.1.20150121
-
cpe:2.3:a:egroupware:egroupware:14.1.20150210
-
cpe:2.3:a:egroupware:egroupware:14.2.20141209
-
cpe:2.3:a:egroupware:egroupware:14.2.20141210
-
cpe:2.3:a:egroupware:egroupware:14.2.20141211
-
cpe:2.3:a:egroupware:egroupware:14.2.20141219
-
cpe:2.3:a:egroupware:egroupware:14.2.20150113
-
cpe:2.3:a:egroupware:egroupware:14.2.20150121
-
cpe:2.3:a:egroupware:egroupware:14.2.20150206
-
cpe:2.3:a:egroupware:egroupware:14.2.20150210
-
cpe:2.3:a:egroupware:egroupware:14.2.20150212
-
cpe:2.3:a:egroupware:egroupware:14.2.20150218
-
cpe:2.3:a:egroupware:egroupware:14.2.20150310
-
cpe:2.3:a:egroupware:egroupware:14.2.20150402
-
cpe:2.3:a:egroupware:egroupware:14.2.20150421
-
cpe:2.3:a:egroupware:egroupware:14.2.20150428
-
cpe:2.3:a:egroupware:egroupware:14.2.20150429
-
cpe:2.3:a:egroupware:egroupware:14.2.20150501
-
cpe:2.3:a:egroupware:egroupware:14.2.20150603
-
cpe:2.3:a:egroupware:egroupware:14.2.20150707
-
cpe:2.3:a:egroupware:egroupware:14.2.20150717
-
cpe:2.3:a:egroupware:egroupware:14.3.20150728
-
cpe:2.3:a:egroupware:egroupware:14.3.20150729
-
cpe:2.3:a:egroupware:egroupware:14.3.20150811
-
cpe:2.3:a:egroupware:egroupware:14.3.20150821
-
cpe:2.3:a:egroupware:egroupware:14.3.20150826
-
cpe:2.3:a:egroupware:egroupware:14.3.20150908
-
cpe:2.3:a:egroupware:egroupware:14.3.20151012
-
cpe:2.3:a:egroupware:egroupware:14.3.20151027
-
cpe:2.3:a:egroupware:egroupware:14.3.20151028
-
cpe:2.3:a:egroupware:egroupware:14.3.20151029
-
cpe:2.3:a:egroupware:egroupware:14.3.20151030
-
cpe:2.3:a:egroupware:egroupware:14.3.20151110
-
cpe:2.3:a:egroupware:egroupware:14.3.20151130
-
cpe:2.3:a:egroupware:egroupware:14.3.20151201
-
cpe:2.3:a:egroupware:egroupware:14.3.20160112
-
cpe:2.3:a:egroupware:egroupware:14.3.20160113
-
cpe:2.3:a:egroupware:egroupware:14.3.20160304
-
cpe:2.3:a:egroupware:egroupware:14.3.20160428
-
cpe:2.3:a:egroupware:egroupware:14.3.20160512
-
cpe:2.3:a:egroupware:egroupware:14.3.20160522
-
cpe:2.3:a:egroupware:egroupware:14.3.20160524
-
cpe:2.3:a:egroupware:egroupware:14.3.20160525
-
cpe:2.3:a:egroupware:egroupware:14.3.20160708
-
cpe:2.3:a:egroupware:egroupware:16.1.20160603
-
cpe:2.3:a:egroupware:egroupware:16.1.20160621
-
cpe:2.3:a:egroupware:egroupware:16.1.20160627
-
cpe:2.3:a:egroupware:egroupware:16.1.20160630
-
cpe:2.3:a:egroupware:egroupware:16.1.20160708
-
cpe:2.3:a:egroupware:egroupware:16.1.20160715
-
cpe:2.3:a:egroupware:egroupware:16.1.20160801
-
cpe:2.3:a:egroupware:egroupware:16.1.20160810
-
cpe:2.3:a:egroupware:egroupware:16.1.20160905
-
cpe:2.3:a:egroupware:egroupware:16.1.20161006
-
cpe:2.3:a:egroupware:egroupware:16.1.20161102
-
cpe:2.3:a:egroupware:egroupware:16.1.20161107
-
cpe:2.3:a:egroupware:egroupware:16.1.20161208
-
cpe:2.3:a:egroupware:egroupware:16.1.20170118
-
cpe:2.3:a:egroupware:egroupware:16.1.20170203
-
cpe:2.3:a:egroupware:egroupware:16.1.20170315
-
cpe:2.3:a:egroupware:egroupware:16.1.20170415
-
cpe:2.3:a:egroupware:egroupware:16.1.20170612
-
cpe:2.3:a:egroupware:egroupware:16.1.20170613
-
cpe:2.3:a:egroupware:egroupware:16.1.20170703
-
cpe:2.3:a:egroupware:egroupware:16.1.20170922
-
cpe:2.3:a:egroupware:egroupware:16.1.20171106
-
cpe:2.3:a:egroupware:egroupware:16.1.20180116
-
cpe:2.3:a:egroupware:egroupware:16.1.20180130
-
cpe:2.3:a:egroupware:egroupware:17.1.20171023
-
cpe:2.3:a:egroupware:egroupware:17.1.20171106
-
cpe:2.3:a:egroupware:egroupware:17.1.20171115
-
cpe:2.3:a:egroupware:egroupware:17.1.20171129
-
cpe:2.3:a:egroupware:egroupware:17.1.20171130
-
cpe:2.3:a:egroupware:egroupware:17.1.20171218
-
cpe:2.3:a:egroupware:egroupware:17.1.20180118
-
cpe:2.3:a:egroupware:egroupware:17.1.20180130
-
cpe:2.3:a:egroupware:egroupware:17.1.20180209
-
cpe:2.3:a:egroupware:egroupware:17.1.20180321
-
cpe:2.3:a:egroupware:egroupware:17.1.20180413
-
cpe:2.3:a:egroupware:egroupware:17.1.20180523
-
cpe:2.3:a:egroupware:egroupware:17.1.20180625
-
cpe:2.3:a:egroupware:egroupware:17.1.20180720
-
cpe:2.3:a:egroupware:egroupware:17.1.20180831
-
cpe:2.3:a:egroupware:egroupware:17.1.20181018
-
cpe:2.3:a:egroupware:egroupware:17.1.20181204
-
cpe:2.3:a:egroupware:egroupware:17.1.20181205
-
cpe:2.3:a:egroupware:egroupware:17.1.20190111
-
cpe:2.3:a:egroupware:egroupware:17.1.20190214
-
cpe:2.3:a:egroupware:egroupware:17.1.20190222
-
cpe:2.3:a:egroupware:egroupware:17.1.20190402
-
cpe:2.3:a:egroupware:egroupware:17.1.20190529
-
cpe:2.3:a:egroupware:egroupware:17.1.20190808
-
cpe:2.3:a:egroupware:egroupware:19.1.20190716
-
cpe:2.3:a:egroupware:egroupware:19.1.20190717
-
cpe:2.3:a:egroupware:egroupware:19.1.20190726
-
cpe:2.3:a:egroupware:egroupware:19.1.20190806
-
cpe:2.3:a:egroupware:egroupware:19.1.20190813
-
cpe:2.3:a:egroupware:egroupware:19.1.20190822
-
cpe:2.3:a:egroupware:egroupware:19.1.20190917
-
cpe:2.3:a:egroupware:egroupware:19.1.20190925
-
cpe:2.3:a:egroupware:egroupware:19.1.20191031
-
cpe:2.3:a:egroupware:egroupware:19.1.20191119
-
cpe:2.3:a:egroupware:egroupware:19.1.20191220
-
cpe:2.3:a:egroupware:egroupware:19.1.20200130
-
cpe:2.3:a:egroupware:egroupware:19.1.20200318
-
cpe:2.3:a:egroupware:egroupware:19.1.20200409
-
cpe:2.3:a:egroupware:egroupware:19.1.20200430
-
cpe:2.3:a:egroupware:egroupware:20.1.20200525
-
cpe:2.3:a:egroupware:egroupware:21.1.20210318
-
cpe:2.3:a:egroupware:egroupware:21.1.20210329
-
cpe:2.3:a:egroupware:egroupware:21.1.20210406
-
cpe:2.3:a:egroupware:egroupware:21.1.20210420
-
cpe:2.3:a:egroupware:egroupware:21.1.20210504
-
cpe:2.3:a:egroupware:egroupware:21.1.20210521
-
cpe:2.3:a:egroupware:egroupware:21.1.20210629
-
cpe:2.3:a:egroupware:egroupware:21.1.20210723
-
cpe:2.3:a:egroupware:egroupware:21.1.20210923
-
cpe:2.3:a:egroupware:egroupware:21.1.20211130
-
cpe:2.3:a:egroupware:egroupware:21.1.20220207
-
cpe:2.3:a:egroupware:egroupware:21.1.20220406
-
cpe:2.3:a:egroupware:egroupware:21.1.20220408
-
cpe:2.3:a:egroupware:egroupware:21.1.20220905
-
cpe:2.3:a:egroupware:egroupware:21.1.20220916
-
cpe:2.3:a:egroupware:egroupware:21.1.20221202
-
cpe:2.3:a:egroupware:egroupware:21.1.20230210
-
cpe:2.3:a:egroupware:egroupware:22.1.20220920
-
cpe:2.3:a:egroupware:egroupware:23.1.20230110
-
cpe:2.3:a:egroupware:egroupware:23.1.20230114
-
cpe:2.3:a:egroupware:egroupware:23.1.20230125
-
cpe:2.3:a:egroupware:egroupware:23.1.20230210
-
cpe:2.3:a:egroupware:egroupware:23.1.20230228
-
cpe:2.3:a:egroupware:egroupware:23.1.20230314
-
cpe:2.3:a:egroupware:egroupware:23.1.20230328
-
cpe:2.3:a:egroupware:egroupware:23.1.20230412
-
cpe:2.3:a:egroupware:egroupware:23.1.20230428
-
cpe:2.3:a:egroupware:egroupware:23.1.20230503
-
cpe:2.3:a:egroupware:egroupware:23.1.20230524
-
cpe:2.3:a:egroupware:egroupware:23.1.20230620
-
cpe:2.3:a:egroupware:egroupware:23.1.20230726
-
cpe:2.3:a:egroupware:egroupware:23.1.20230728
-
cpe:2.3:a:egroupware:egroupware:23.1.20230824
-
cpe:2.3:a:egroupware:egroupware:23.1.20230911
-
cpe:2.3:a:egroupware:egroupware:23.1.20231110
-
cpe:2.3:a:egroupware:egroupware:23.1.20231113
-
cpe:2.3:a:egroupware:egroupware:23.1.20231122
-
cpe:2.3:a:egroupware:egroupware:23.1.20231129
-
cpe:2.3:a:egroupware:egroupware:23.1.20231201
-
cpe:2.3:a:egroupware:egroupware:23.1.20231219
-
cpe:2.3:a:egroupware:egroupware:23.1.20231220
-
cpe:2.3:a:egroupware:egroupware:23.1.20240125
-
cpe:2.3:a:egroupware:egroupware:23.1.20240304
-
cpe:2.3:a:egroupware:egroupware:23.1.20240430