CVE-2012-4240

Group-Office < 4.0.90 - Authenticated SQL Injection via Calendar Sort Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-4240. PoCs published by Chris Cooper.

AI-analyzed exploit summary This is a detailed advisory describing a SQL injection vulnerability in Group-Office's calendar module. It includes proof-of-concept payloads and example requests/responses for exploiting the flaw via the 'sort' parameter in JSON.php.

Description

SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter.

Exploits (1)

exploitdb WRITEUP
by Chris Cooper · textwebappsphp
https://www.exploit-db.com/exploits/21056

This is a detailed advisory describing a SQL injection vulnerability in Group-Office's calendar module. It includes proof-of-concept payloads and example requests/responses for exploiting the flaw via the 'sort' parameter in JSON.php.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Group-Office < 4.0.90
Auth required
Prerequisites: Authenticated user access to Group-Office
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/21056
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/78253
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/55383
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-09/0011.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/85171

Scores

EPSS 0.0125
EPSS Percentile 65.5%

Details

CWE
CWE-89
Status published
Products (1)
group-office/groupoffice < 4.0.89
Published Sep 11, 2014
Tracked Since Feb 18, 2026