CVE-2024-40614

Published: Jul 7, 2024

Modified: Nov 25, 2025

PUBLISHED

Description

EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php?menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajax_get_rows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://syss.de

https://github.com/EGroupware/egroupware/releases/tag/23.1.20240624

https://help.egroupware.org/t/egroupware-maintenance-security-release-23-1-20240624/78438

https://github.com/EGroupware/egroupware/compare/23.1.20240430...23.1.20240624

https://github.com/EGroupware/egroupware/commit/553829d30cc2ccdc0e5a8c5a0e16fa03a3399a3f

https://www.syss.de/pentest-blog/sql-injection-schwachstelle-in-egroupware-syss-2024-047

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-047.txt

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-40614

Description

Affected Products

References