EGroupware SQL Injection Vulnerability in Nextmatch Filter Processing

A SQL injection vulnerability has been identified in EGroupware versions prior to 23.1.20260113 and 26.0.20260113. The issue resides in the core components of EGroupware, specifically within the 'Nextmatch' filter processing. This vulnerability allows authenticated attackers to inject arbitrary SQL commands into the 'WHERE' clause of database queries. The exploitation is made possible by a PHP type juggling issue, where JSON decoding transforms numeric strings into integers, circumventing the 'is_int()' security check implemented by the application.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or deletion within the application's database.

Reproduction

The vulnerability can be reproduced by sending a JSON payload with numeric string keys to an endpoint that processes 'Nextmatch' widgets. The application will interpret these keys as integers, bypassing the intended security validation and allowing the injection of malicious SQL into the database query.

Remediation

Users are advised to update to EGroupware versions 23.1.20260113 or 26.0.20260113, both of which address this vulnerability.