2 matches found
EGroupware mishandles an ORDER BY clause
EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajaxgetrows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting...
CVE-2024-40614
CVE-2024-40614 affects EGroupware prior to 23.1.20240624. The issue arises from mishandling of the ORDER BY clause in queries used by json.php?menuaction=EGroupware\Api\Etemplate\Widget\Nextmatch::ajax_get_rows, enabling SQL injection via sort.id for authenticated users when sorting Address Book ...