Executive Summary

Summary
Title New egroupware packages fix several vulnerabilities
Informations
Name DSA-2013 First vendor Publication 2010-03-11
Vendor Debian Last vendor Modification 2010-03-11
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Nahuel Grisolia discovered two vulnerabilities in Egroupware, a web-based groupware suite: Missing input sanitising in the spellchecker integration may lead to the execution of arbitrary commands and a cross-site scripting vulnerability was discovered in the login page.

For the stable distribution (lenny), these problems have been fixed in version 1.4.004-2.dfsg-4.2.

The upcoming stable distribution (squeeze), no longer contains egroupware packages.

We recommend that you upgrade your egroupware packages.

Original Source

Url : http://www.debian.org/security/2010/dsa-2013

CWE : Common Weakness Enumeration

idName
CWE-94Failure to Control Generation of Code ('Code Injection')
CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application8

OpenVAS Exploits

DateDescription
2010-09-24Name : EGroupware multiple vulnerabilities
File : nvt/gb_egroupware_mult_vulns_09_10.nasl
2010-03-16Name : FreeBSD Ports: egroupware
File : nvt/freebsd_egroupware0.nasl
2010-03-16Name : Debian Security Advisory DSA 2013-1 (egroupware)
File : nvt/deb_2013_1.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
62805eGroupWare spellchecker.php Multiple Parameter Arbitrary Shell Command Execution
62804eGroupWare login.php lang Parameter XSS

Nessus® Vulnerability Scanner

DateDescription
2010-03-15Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2013.nasl - Type : ACT_GATHER_INFO
2010-03-10Name : The remote web server contains a CGI script that can be abused to execute arb...
File : egroupware_spellchecker_cmd_exec.nasl - Type : ACT_ATTACK

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:29:18
  • Multiple Updates