Egroupware
CVE-2017-14920
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator.
AnalysisAI
Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator. Affected products include: Egroupware. Version information: before 16.1.20170922.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Egroupware
View allSQL injection in EGroupware's Nextmatch filter allows authenticated attackers to execute arbitrary database commands by
EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupwa
Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGro
EGroupware before 23.1.20240624 mishandles an ORDER BY clause. Rated critical severity (CVSS 9.8), this vulnerability is
Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405
eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP object injection attacks, delete arbitrary fil
An issue was discovered in eGroupWare 17.1.20190111. A cross-site scripting Reflected (XSS) vulnerability exists in cale
CVE-2023-38327 is a security vulnerability (CVSS 5.3) that allows unauthenticated remote attackers. Remediation should f
An issue was discovered in eGroupWare 17.1.20190111. Rated medium severity (CVSS 4.9), this vulnerability is remotely ex
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today