2024-07-07 00:00:00
mitre
PUBLISHED
EGroupware before 23.1.20240624 mishandles an ORDER BY clause. This leads to json.php?menuaction=EGroupwareApiEtemplateWidgetNextmatch::ajax_get_rows sort.id SQL injection by authenticated users for Address Book or InfoLog sorting.