admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| freepbx | freepbx | 2.10 |
| sangoma | freepbx | 2.9 |
| freepbx | freepbx | 2.12 |
| freepbx | freepbx | 2.11 |
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| freepbx | freepbx | 2.10.0.1 |
| sangoma | freepbx | * |
| sangoma | freepbx | 2.11.0.4 |
| freepbx | freepbx | 2.10.0.4 |
| freepbx | freepbx | 2.11.1.1 |
| freepbx | freepbx | 2.10.0.7 |
| sangoma | freepbx | 2.11.0.2 |
| sangoma | freepbx | 2.11.0.3 |
| freepbx | freepbx | 2.11.1.2 |
| freepbx | freepbx | 2.11.1.3 |
| freepbx | freepbx | 2.11.1.0 |
| freepbx | freepbx | 2.10.0.3 |
| freepbx | freepbx | 2.10.0.9 |
| freepbx | freepbx | 2.10.0.0 |
| freepbx | freepbx | 2.10.0.10 |
| freepbx | freepbx | 2.11.1.4 |
| sangoma | freepbx | 2.11.0.1 |
| freepbx | freepbx | 2.10.0.5 |
| freepbx | freepbx | 2.10.0.6 |
| freepbx | freepbx | 2.10.0.2 |
| freepbx | freepbx | 2.10.0.8 |
| sangoma | freepbx | 2.11.0.0 |
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| sangoma | freepbx | * |
| sangoma | freepbx | 15.0.1 |
| freepbx | freepbx | 15.0.1 |
FreePBX 13 and 14 has SQL Injection in the DISA module via the hangup variable on the /admin/config.php?display=disa&view=form page.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| freepbx | disa | * |
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| freepbx | contactmanager | * |
| freepbx | contactmanager | 13.0.0 |
| sangoma | freepbx | 14.0.10.3 |
| freepbx | contactmanager | 14.0.1 |
An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| freepbx | manager | * |
| sangoma | freepbx | * |
| freepbx | manager | 13.0.1 |