CVE-2010-3313
published 2010-09-22CVE-2010-3313: phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other…
PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.66%
94.4th percentile
phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| egroupware | egroupware | — | — |
| egroupware | egroupware | — | — |
| egroupware | egroupware | — | — |
| egroupware | egroupware | — | — |
| egroupware | egroupware | — | — |
| egroupware | egroupware | — | — |
| egroupware | egroupware | — | — |
| egroupware | egroupware | — | — |
| egroupware | egroupware | >= 0 < 1.6.003 | 1.6.003 |
| egroupware | egroupware | >= 9.1 < 9.1.20100309 | 9.1.20100309 |
| egroupware | egroupware | >= 9.2 < 9.2.20100309 | 9.2.20100309 |
Detection & IOCsextracted from sources · hover to see the quote
pathphpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php↗
- →Monitor HTTP requests targeting spellchecker.php with shell metacharacters (e.g., `;`, `>`, `|`, `&`) in the `aspell_path` or `spellchecker_lang` query parameters. ↗
- →Alert on any GET/POST requests to the path `/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php` with non-empty `aspell_path` or `spellchecker_lang` parameters, as these are not expected to accept user-controlled executable paths. ↗
- →This vulnerability requires no authentication (Au:N) and is remotely exploitable with low complexity (AC:L), so any external request to the vulnerable endpoint should be treated as suspicious. ↗
- ·The vulnerability is unauthenticated and pre-auth, meaning no login session is required to exploit it — perimeter controls alone are insufficient if the EGroupware instance is internet-facing. ↗
- ·Exploitation results in command execution in the context of the web server user, not necessarily root — post-exploitation privilege escalation may follow. ↗
- ·Fixed versions are EGroupware 1.6.003, EPL-9.1.20100309, and EPL-9.2.20100309 — any deployment running older versions remains vulnerable. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
EGroupware Code Injection vulnerability
osv·2022-05-17
CVE-2010-3313 [HIGH] EGroupware Code Injection vulnerability
EGroupware Code Injection vulnerability
`phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php` in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.
GHSA
EGroupware Code Injection vulnerability
ghsa·2022-05-17
CVE-2010-3313 [HIGH] CWE-94 EGroupware Code Injection vulnerability
EGroupware Code Injection vulnerability
`phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php` in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.
VulnCheck
egroupware egroupware Improper Control of Generation of Code ('Code Injection')
vulncheck·2010·CVSS 7.5
CVE-2010-3313 [HIGH] egroupware egroupware Improper Control of Generation of Code ('Code Injection')
egroupware egroupware Improper Control of Generation of Code ('Code Injection')
phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.
Affected: egroupware egroupware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UNION SELECT
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UNION SELECT"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006493; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item INSERT
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006500; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username DELETE
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username DELETE"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006495; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UNION SELECT
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006499; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techni
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item ASCII
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006502; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username SELECT
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username SELECT"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006492; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006503; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username ASCII
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username ASCII"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006496; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item SELECT
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006498; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username INSERT
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username INSERT"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006494; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_A
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006497; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_A
Suricata
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-3313 [HIGH] ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item DELETE
ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; classtype:web-application-attack; sid:2006501; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
Exploit-DB
Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Code Execution (MS16-099)
exploitdb·2016-08-10·CVSS 7.8
CVE-2016-3313 [HIGH] Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Code Execution (MS16-099)
Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Code Execution (MS16-099)
---
#####################################################################################
# Application: Microsoft Office Word
# Platforms: Windows, OSX
# Versions: Microsoft Office Word 2007,2010,2013,2016
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @SebMorin1, @COSIG_
# Date: August 09, 2016
# CVE: CVE-2016-3313
# COSIG-2016-31
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#######################################################################################
1) Introduction
Microsoft Word is a word processor developed by Microsoft. It was first re
Exploit-DB
eGroupWare 1.6.002 and eGroupWare premium line 9.1 - Multiple Vulnerabilities
exploitdb·2010-03-16
CVE-2010-3314 eGroupWare 1.6.002 and eGroupWare premium line 9.1 - Multiple Vulnerabilities
eGroupWare 1.6.002 and eGroupWare premium line 9.1 - Multiple Vulnerabilities
---
Advisory Name: Remote Command Execution in EGroupware
Vulnerability Class: Remote Command Execution
Release Date: 2010-03-09
Affected Applications: Confirmed in EGroupware 1.4.001+.002 and 1.6.001+.002. EGroupware
Premium Line 9.1 and 9.2 is also affected. Other versions may also be affected.
Affected Platforms: Multiple
Local / Remote: Remote
Severity: High – CVSS: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Researcher: Nahuel Grisolía
Vendor Status: Acknowledged / Fixed.
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
Reference to CYBSEC Security Advisories: http://www.cybsec.com/EN/research/default.php
Vulnerability Description:
EGroupware is prone to a remot
No writeups or analysis indexed.
http://www.debian.org/security/2010/dsa-2013http://www.egroupware.org/news?item=93http://www.exploit-db.com/exploits/11777/http://www.openwall.com/lists/oss-security/2010/09/21/7http://www.debian.org/security/2010/dsa-2013http://www.egroupware.org/news?item=93http://www.exploit-db.com/exploits/11777/http://www.openwall.com/lists/oss-security/2010/09/21/7
2010-09-22
Published
Exploited in the wild