EGroupware mishandles an ORDER BY clause
High severity
GitHub Reviewed
Published
Jul 7, 2024
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Package
Affected versions
< 23.1.20240624
Patched versions
23.1.20240624
Description
Published by the National Vulnerability Database
Jul 7, 2024
Published to the GitHub Advisory Database
Jul 7, 2024
Reviewed
Jul 8, 2024
Last updated
Nov 18, 2024
EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajax_get_rows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting.
References