CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
89.0%
phpCollab is a web-enabled groupware and project management software written in PHP. It uses SQL-based database backends.
Multiple vulnerabilities have been found in phpCollab:
These vulnerabilities enable remote attackers to execute arbitrary SQL statements and PHP code. NOTE: Some of the SQL injection vulnerabilities require the php.ini option “magic_quotes_gpc” to be disabled. Furthermore, an attacker might be able to execute arbitrary shell commands if “register_globals” is enabled, “magic_quotes_gpc” is disabled, the PHP OpenSSL extension is not installed or loaded and the file “installation/setup.php” has not been deleted after installation.
There is no known workaround at this time.
phpCollab has been removed from the Portage tree. We recommend that users unmerge phpCollab:
# emerge --unmerge "www-apps/phpcollab"
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | www-apps/phpcollab | <= 2.5_rc3 | UNKNOWN |