MidnightBSD

Advisories for fonality

CVE-2016-2362 HIGH

Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 has a hardcoded password for the FTP account, which allows remote attackers to obtain access via a (1) FTP or (2) SSH connection.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
fonality fonality 12.6
fonality fonality 12.8
fonality fonality 14.1i
CVE-2016-2363 HIGH

Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 uses weak permissions for the /var/www/rpc/surun script, which allows local users to obtain root access for unspecified command execution by leveraging access to the nobody account.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
fonality fonality 12.6
fonality fonality 12.8
fonality fonality 14.1i
CVE-2016-2364 MEDIUM

The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,NVD-CWE-Other,

Products Affected

Vendor Product Version
fonality fonality 12.6
fonality fonality 12.8
fonality fonality 14.1i
fonality hud_web *