MidnightBSD

Advisories for sangoma

CVE-2009-2346 HIGH

The IAX2 protocol implementation in Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.2, 1.6.0.x before 1.6.0.15, and 1.6.1.x before 1.6.1.6; Business Edition B.x.x before B.2.5.10, C.2.x before C.2.4.3, and C.3.x before C.3.1.1; and s800i 1.3.x before 1.3.0.3 allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many IAX2 message exchanges, a related issue to CVE-2008-3263.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
asterisk open_source 1.4.9
asterisk open_source 1.2.23
asterisk open_source 1.2.26
asterisk open_source 1.4.11
asterisk open_source 1.4.12
asterisk asterisk b.2.3.4
asterisk asterisk c.2.3
asterisk open_source 1.2.4
asterisk open_source 1.4.14
asterisk opensource 1.4.24.1
asterisk open_source 1.2.15
asterisk open_source 1.6.1.5
asterisk open_source 1.2.2
asterisk open_source 1.4.17
asterisk asterisk b.2.5.9
asterisk open_source 1.4.3
asterisk open_source 1.2.9.1
asterisk open_source 1.4.2
asterisk open_source 1.2.6
asterisk open_source 1.4.0
asterisk open_source 1.4.4
sangoma asterisk 1.6.1.4
asterisk appliance_s800i 1.3.0.2
asterisk open_source 1.4.16.1
asterisk asterisk c.1.10.3
asterisk open_source 1.4.6
asterisk open_source 1.4.7
asterisk open_source 1.2.14
asterisk open_source 1.2.12
asterisk open_source 1.6.0.2
asterisk asterisk b.2.5.1
asterisk open_source 1.4.7.1
asterisk open_source 1.2.17
asterisk asterisk b.2.5.3
asterisk open_source 1.4.16.2
asterisk asterisk c.1.6
asterisk opensource 1.4.23.2
asterisk open_source 1.2.3
asterisk asterisk c.1.10.5
asterisk open_source 1.2.24
asterisk asterisk b.2.5.4
asterisk open_source 1.4.18.1
asterisk open_source 1.6.0
asterisk open_source 1.4.22
asterisk open_source 1.4.21
asterisk open_source 1.2.1
asterisk asterisk c.1.8.1
asterisk open_source 1.4.10.1
asterisk open_source 1.2.8
asterisk open_source 1.2.13
asterisk open_source 1.4.5
asterisk open_source 1.4.21.2
asterisk open_source 1.2.21.1
asterisk open_source 1.4.22.1
asterisk opensource 1.4.24
asterisk open_source 1.4.16
asterisk open_source 1.2.30.2
asterisk asterisk b.2.3.2
asterisk asterisk b.2.3.3
asterisk asterisk b.2.3.6
asterisk open_source 1.2.26.2
asterisk asterisk b.2.3.1
asterisk open_source 1.4.19.2
asterisk asterisk c.1.6.1
asterisk open_source 1.2.28
asterisk open_source 1.2.34
asterisk open_source 1.2.20
asterisk asterisk b.2.2.0
asterisk open_source 1.4.18
asterisk open_source 1.4.23
asterisk open_source 1.2.22
asterisk open_source 1.2.25
asterisk open_source 1.4.15
asterisk open_source 1.2.30.3
asterisk open_source 1.2.16
asterisk open_source 1.2.21
asterisk open_source 1.4.20
asterisk open_source 1.4.19
asterisk open_source 1.6.1.0
asterisk asterisk b.1.3.2
asterisk opensource 1.4.26
asterisk open_source 1.2.18
asterisk open_source 1.2.19
asterisk open_source 1.2.7
asterisk appliance_s800i 1.3
asterisk open_source 1.2.11
asterisk asterisk c.1.10.4
asterisk open_source 1.2.32
asterisk open_source 1.4.21.1
asterisk open_source 1.2.12.1
asterisk asterisk c.2.3.3
sangoma asterisk 1.6.1
asterisk open_source 1.2.5
asterisk open_source 1.2.7.1
asterisk open_source 1.6.0.1
asterisk opensource 1.4.26.1
asterisk asterisk b.2.5.6
asterisk asterisk b.2.5.8
asterisk asterisk c.1.0_beta7
asterisk open_source 1.4.8
asterisk open_source 1.2.9
asterisk open_source 1.2.0
asterisk open_source 1.4.10
asterisk asterisk b.2.2.1
asterisk open_source 1.2.30.4
asterisk asterisk c.1.6.2
asterisk open_source 1.4.22.2
asterisk open_source 1.4.12.1
asterisk asterisk c.1.0_beta8
asterisk asterisk c.3.1.0
asterisk open_source 1.6.0.3
asterisk asterisk b.1.3.3
asterisk open_source 1.2.30
asterisk open_source 1.4.1
asterisk asterisk c.2.4.2
asterisk open_source 1.4.19.1
asterisk asterisk b.2.5.5
asterisk open_source 1.2.10
asterisk open_source 1.2.29
asterisk open_source 1.4.13
asterisk asterisk c.2.1.2.1
asterisk asterisk b.2.3.5
asterisk open_source 1.2.31
asterisk open_source 1.4beta
asterisk open_source 1.2.26.1
asterisk open_source 1.2.27
asterisk open_source 1.2.33
CVE-2009-3723 MEDIUM

asterisk allows calls on prohibited networks

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
sangoma asterisk *
debian debian_linux 10.0
debian debian_linux 9.0
debian debian_linux 8.0
CVE-2010-3490 MEDIUM

Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the usersnum parameter to admin/config.php, as demonstrated by creating a .php file under the web root.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2012-2186 HIGH

Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
asterisk open_source 1.8.7.0
asterisk open_source 1.8.9.2
asterisk open_source 1.8.2.4
asterisk open_source 1.8.5.0
asterisk open_source 1.8.4.4
asterisk open_source 1.8.10.0
asterisk open_source 10.1.3
asterisk open_source 10.2.0
asterisk open_source 10.3
asterisk certified_asterisk *
asterisk open_source 10.0.1
asterisk business_edition *
asterisk open_source 1.8.8.0
asterisk open_source 1.8.9.1
asterisk open_source 1.8.8.1
asterisk open_source 1.8.1
asterisk open_source 1.8.7.1
asterisk open_source 1.8.2.1
asterisk open_source 1.8.2.3
asterisk open_source 1.8.4.1
asterisk business_edition c.3.0
asterisk open_source 1.8.10.1
asterisk open_source 1.8.2.2
asterisk open_source 1.8.9.3
asterisk open_source 10.1.2
asterisk open_source 1.8.0
asterisk open_source 1.8.3.2
asterisk open_source 10.1.1
asterisk open_source 1.8.12
asterisk open_source 1.8.7
asterisk open_source 1.8.8.2
asterisk open_source 1.8.3.1
asterisk open_source 1.8.11.0
asterisk certified_asterisk 1.8.11
asterisk open_source 1.8.11.1
asterisk open_source 10.1.0
sangoma asterisk *
asterisk open_source 1.8.2
asterisk open_source 1.8.7.2
asterisk digiumphones *
asterisk open_source 1.8.5
asterisk open_source 1.8.4.3
asterisk open_source 1.8.3.3
asterisk open_source 1.8.1.1
asterisk open_source 1.8.4.2
asterisk open_source 10.4.0
asterisk open_source 1.8.6.0
asterisk open_source 1.8.1.2
asterisk open_source 10.3.0
asterisk open_source 1.8.12.0
asterisk open_source 10.2.1
asterisk open_source 1.8.9.0
asterisk open_source 1.8.3
asterisk open_source 10.3.1
asterisk open_source 10.0.0
asterisk open_source 1.8.4
CVE-2012-2948 MEDIUM

chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
asterisk open_source 1.8.1
asterisk open_source 1.8.7.0
asterisk open_source 1.8.5.0
asterisk open_source 10.4.0
asterisk open_source 1.8.6.0
asterisk open_source 1.8.10.0
asterisk open_source 1.8.0
asterisk open_source 1.8.11.0
asterisk open_source 10.2.0
asterisk certified_asterisk 1.8.11
asterisk open_source 10.3
asterisk open_source 10.3.0
asterisk open_source 1.8.12.0
asterisk open_source 10.1.0
sangoma asterisk *
asterisk open_source 1.8.9.0
asterisk open_source 1.8.2
asterisk open_source 1.8.3
asterisk open_source 1.8.12
asterisk open_source 1.8.5
asterisk open_source 10.0.0
asterisk open_source 1.8.8.0
CVE-2014-1903 HIGH

admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
freepbx freepbx 2.10
freepbx freepbx 2.12
freepbx freepbx 2.11
sangoma freepbx 2.9
CVE-2014-7235 HIGH

htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
freepbx freepbx 2.10.0.8
freepbx freepbx 2.10.0.2
freepbx freepbx 2.11.1.4
freepbx freepbx 2.10.0.10
sangoma freepbx *
freepbx freepbx 2.11.1.0
freepbx freepbx 2.10.0.0
sangoma freepbx 2.11.0.2
freepbx freepbx 2.11.1.1
sangoma freepbx 2.11.0.3
freepbx freepbx 2.10.0.9
freepbx freepbx 2.11.1.3
sangoma freepbx 2.11.0.4
freepbx freepbx 2.10.0.1
sangoma freepbx 2.11.0.1
freepbx freepbx 2.10.0.3
sangoma freepbx 2.11.0.0
freepbx freepbx 2.10.0.4
freepbx freepbx 2.10.0.5
freepbx freepbx 2.10.0.7
freepbx freepbx 2.11.1.2
freepbx freepbx 2.10.0.6
CVE-2017-17430 HIGH

Sangoma NetBorder / Vega Session Controller before 2.3.12-80-GA allows remote attackers to execute arbitrary commands via the web interface.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
sangoma netborder/vega_session_firmware 2.3.11-78-ga
CVE-2017-9358 MEDIUM

A memory exhaustion vulnerability exists in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1 and Certified Asterisk 13.13 before 13.13-cert4, which can be triggered by sending specially crafted SCCP packets causing an infinite loop and leading to memory exhaustion (by message logging in that loop).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
sangoma asterisk 13.8.1
asterisk certified_asterisk 13.13.0
sangoma asterisk 13.15.0
sangoma asterisk 14.4.0
sangoma asterisk 14.2.0
sangoma asterisk 13.1.0
sangoma asterisk 13.8.0
sangoma asterisk 13.3.0
sangoma asterisk 13.8.2
sangoma asterisk 13.2.0
sangoma asterisk 13.13.0
sangoma asterisk 13.7.0
sangoma asterisk 13.12.0
sangoma asterisk 13.12.2
sangoma asterisk 13.4.0
sangoma asterisk 14.1.0
sangoma asterisk 14.2.1
sangoma asterisk 14.0.0
sangoma asterisk 13.11.0
sangoma asterisk 13.12.1
sangoma asterisk 13.10.0
sangoma asterisk 13.6.0
sangoma asterisk 13.5.0
sangoma asterisk 13.9.0
sangoma asterisk 13.0.0
sangoma asterisk 13.14.0
sangoma asterisk 14.3.0
CVE-2018-12228 MEDIUM

An issue was discovered in Asterisk Open Source 15.x before 15.4.1. When connected to Asterisk via TCP/TLS, if the client abruptly disconnects, or sends a specially crafted message, then Asterisk gets caught in an infinite loop while trying to read the data stream. This renders the system unusable.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
sangoma asterisk *
CVE-2018-15891 LOW

An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
freepbx freepbx 15.0.1
sangoma freepbx 15.0.1
sangoma freepbx *
CVE-2018-6393 MEDIUM

FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the vendor disputes this issue because it is intentional that a user can "directly modify SQL tables ... [or] run shell scripts ... once ... logged in to the administration interface; there is no need to try to find input validation errors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
sangoma freepbx 14.0.1.24
sangoma freepbx 10.13.66
CVE-2019-12147 MEDIUM

The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the system (either via the web interface or via SSH) to achieve complete compromise of the device. This affects /var/webconfig/gui/Webconfig.inc.php and /usr/local/sng/bin/sng-user-mgmt.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-88,

Products Affected

Vendor Product Version
sangoma session_border_controller_firmware 2.3.23-119-ga
CVE-2019-12148 HIGH

The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin web portal without providing any credentials. This affects /var/webconfig/gui/Webconfig.inc.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-88,

Products Affected

Vendor Product Version
sangoma session_border_controller_firmware 2.3.23-119-ga
CVE-2019-16966 MEDIUM

An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
freepbx contactmanager *
freepbx contactmanager 14.0.1
sangoma freepbx 14.0.10.3
freepbx contactmanager 13.0.0
CVE-2019-16967 MEDIUM

An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
freepbx manager *
freepbx manager 13.0.1
sangoma freepbx *
CVE-2019-19006 HIGH

Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2019-19538 MEDIUM

In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2019-19551 LOW

In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not being properly sanitized. If this is done and a user (such as an admin) visits the User Management screen and views that user's profile, the XSS payload will render and execute in the context of the victim user's account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2019-19552 LOW

In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2019-19615 LOW

Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/config.php?display=backup on the FreePBX Administrator web site. An attacker can modify the id parameter of the backup configuration screen and embed malicious XSS code via a link. When another user (such as an admin) clicks the link, the XSS payload will render and execute in the context of the victim user's account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2019-19851 LOW

An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through 13.0.4.7, 14.x through 14.0.24, and 15.x through 15.0.2.20.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2019-19852 LOW

An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. This affects cel through 13.0.26.9, 14.x through 14.0.2.14, and 15.x through 15.0.15.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2019-25090

A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic. Affected by this issue is some unknown functionality of the component Views Handler. The manipulation of the argument dataurl leads to cross site scripting. The attack may be launched remotely. Upgrading to version 13.0.5.4 is able to address this issue. The name of the patch is 199dea7cc7020d3c469a86a39fbd80f5edd3c5ab. It is recommended to upgrade the affected component. VDB-216878 is the identifier assigned to this vulnerability.

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2020-10666 HIGH

The restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2 allows remote code execution via a URL variable to an AMI command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
sangoma restapps *
CVE-2020-28242 MEDIUM

An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
asterisk certified_asterisk *
sangoma asterisk *
asterisk open_source *
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2020-28327 LOW

A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1. and Certified Asterisk before 16.8-cert5. Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending on some off-nominal circumstances and timing, it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects, were dereferenced or accessed next by the initial-creation thread. Note, however, that this crash can only occur when using a connection-oriented protocol (e.g., TCP or TLS, but not UDP) for SIP transport. Also, the remote client must be authenticated, or Asterisk must be configured for anonymous calling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-404,

Products Affected

Vendor Product Version
sangoma asterisk *
digium certified_asterisk 16.8
CVE-2020-36630

A vulnerability was found in FreePBX cdr 14.0. It has been classified as critical. This affects the function ajaxHandler of the file ucp/Cdr.class.php. The manipulation of the argument limit/offset leads to sql injection. Upgrading to version 14.0.5.21 is able to address this issue. The name of the patch is f1a9eea2dfff30fb99d825bac194a676a82b9ec8. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216771.

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2021-37706 HIGH

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-191,CWE-191,

Products Affected

Vendor Product Version
asterisk certified_asterisk 16.8.0
asterisk certified_asterisk *
sangoma asterisk *
debian debian_linux 10.0
teluu pjsip *
debian debian_linux 9.0
CVE-2021-4282

A vulnerability was found in FreePBX voicemail. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file page.voicemail.php. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 14.0.6.25 is able to address this issue. The name of the patch is 12e1469ef9208eda9d8955206e78345949236ee6. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216871.

Products Affected

Vendor Product Version
sangoma voicemail *
CVE-2021-4283

A vulnerability was found in FreeBPX voicemail. It has been rated as problematic. Affected by this issue is some unknown functionality of the file views/ssettings.php of the component Settings Handler. The manipulation of the argument key leads to cross site scripting. The attack may be launched remotely. Upgrading to version 14.0.6.25 is able to address this issue. The name of the patch is ffce4882016076acd16fe0f676246905aa3cb2f3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216872.

Products Affected

Vendor Product Version
sangoma voicemail *
CVE-2021-45310 MEDIUM

Sangoma Technologies Corporation Switchvox Version 102409 is affected by an information disclosure vulnerability due to an improper access restriction. Users information such as first name, last name, acount id, server uuid, email address, profile image, number, timestamps, etc can be extracted by sending an unauthenticated HTTP GET request to the https://Switchvox-IP/main?cmd=invalid_browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
sangoma switchvox 102409
CVE-2021-45461 HIGH

FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
sangoma restapps 16.0.18.40
sangoma restapps 16.0.18.41
sangoma restapps 15.0.19.88
sangoma restapps 15.0.19.87
CVE-2022-21723 MEDIUM

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in the `master` branch. There are no known workarounds.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
asterisk certified_asterisk 16.8.0
sangoma asterisk *
debian debian_linux 10.0
teluu pjsip *
debian debian_linux 9.0
CVE-2022-23608 HIGH

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
asterisk certified_asterisk 16.8.0
asterisk certified_asterisk *
sangoma asterisk *
debian debian_linux 10.0
teluu pjsip *
debian debian_linux 9.0
CVE-2022-37325

In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma asterisk 20.0.0
CVE-2022-42705

A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk 18.9
sangoma asterisk 20.0.0
CVE-2022-42706

An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk 18.9
sangoma certified_asterisk *
sangoma asterisk 20.0.0
CVE-2023-26567

Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables. This exposes cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface. For example, an attacker can make a /ari/asterisk/variable?variable=AMPDBPASS API call.

Products Affected

Vendor Product Version
sangoma freepbx_linux_7 2105
sangoma freepbx_linux_7 2112
sangoma freepbx_linux_7 2002
sangoma freepbx_linux_7 1904
sangoma freepbx_linux_7 2008
sangoma freepbx_linux_7 2011
sangoma freepbx_linux_7 2201
sangoma freepbx_linux_7 2203
sangoma freepbx_linux_7 2202
sangoma freepbx_linux_7 1910
sangoma freepbx_linux_7 2302
sangoma freepbx_linux_7 2109
sangoma freepbx_linux_7 1805
sangoma freepbx_linux_7 2104
CVE-2023-37457

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 3.9 4.2

Products Affected

Vendor Product Version
sangoma certified_asterisk 13.13.0
sangoma certified_asterisk 18.9
digium asterisk 21.0.0
digium asterisk *
sangoma certified_asterisk 16.8.0
CVE-2023-43336

Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a modified parameter value, e.g., changing extension=self to extension=101.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2023-49294

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
security-advisories@github.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
sangoma certified_asterisk 13.13.0
sangoma certified_asterisk 18.9
digium asterisk 21.0.0
digium asterisk *
sangoma certified_asterisk 16.8.0
CVE-2023-49786

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
sangoma certified_asterisk 13.13.0
sangoma certified_asterisk 18.9
digium asterisk 21.0.0
digium asterisk *
sangoma certified_asterisk 16.8.0
CVE-2024-35190

Asterisk is an open source private branch exchange and telephony toolkit. After upgrade to 18.23.0, ALL unauthorized SIP requests are identified as PJSIP Endpoint of local asterisk server. This vulnerability is fixed in 18.23.1, 20.8.1, and 21.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
sangoma asterisk 20.8.0
sangoma asterisk 21.3.0
sangoma asterisk 18.23.0
CVE-2024-42491

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H 2.1 3.6

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk 18.9
sangoma certified_asterisk *
sangoma certified_asterisk 20.7
CVE-2024-49215

An issue was discovered in Sangoma Asterisk through 18.20.0, 19.x and 20.x through 20.5.0, and 21.x through 21.0.0, and Certified Asterisk through 18.9-cert5. In manager.c, the functions action_getconfig() and action_getconfigJson() do not process the input file path, resulting in a path traversal vulnerability. In versions without the restrictedFile() function, no processing is done on the input path. In versions with the restrictedFile() function, path traversal is not processed.

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk 18.9
sangoma certified_asterisk *
sangoma asterisk 21.0.0
CVE-2024-53564

A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
sangoma freepbx 17.0.19.17
CVE-2024-53566

An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
sangoma asterisk 22.0.0
debian debian_linux 11.0
CVE-2024-57520

Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
sangoma asterisk *
CVE-2024-58294

FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
sangoma freepbx 16.0
CVE-2025-1131

A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk 18.9
sangoma certified_asterisk 20.7
CVE-2025-32105

A buffer overflow in the the Sangoma IMG2020 HTTP server through 2.3.9.6 allows an unauthenticated user to achieve remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
sangoma img2020_firmware *
CVE-2025-47779

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N 3.1 4.0

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk 18.9
sangoma certified_asterisk *
sangoma certified_asterisk 20.7
CVE-2025-47780

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk 18.9
sangoma certified_asterisk *
sangoma certified_asterisk 20.7
CVE-2025-49832

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk *
sangoma certified_asterisk 20.7
CVE-2025-54995

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk 18.9
sangoma certified_asterisk *
CVE-2025-55211

FreePBX is an open-source web-based graphical user interface. From 17.0.19.11 to before 17.0.21, authenticated users of the Administrator Control Panel (ACP) can run arbitrary shell commands by maliciously changing languages of the framework module. This vulnerability is fixed in 17.0.21.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2025-57767

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasn't in a previous 401 response's WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response being sent, the get_authorization_header() function in res_pjsip_authenticator_digest will return a NULL. This wasn't being checked before attempting to get the digest algorithm from the header which causes a SEGV. This issue has been patched in versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
sangoma asterisk *
CVE-2025-57819

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2025-59056

FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious connections to the Administrator Control Panel web interface can cause the uninstall function to be triggered for certain modules. This function drops the module's database tables, which is where most modules store their configuration. This vulnerability is fixed in 15.0.38, 16.0.41, and 17.0.21.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2025-59429

FreePBX is an open source GUI for managing Asterisk. In versions prior to 16.0.68.39 for FreePBX 16 and versions prior to 17.0.18.38 for FreePBX 17, a reflected cross-site scripting vulnerability is present on the Asterisk HTTP Status page. The Asterisk HTTP status page is exposed by FreePBX and is available by default on version 16 via any bound IP address at port 8088. By default on version 17, the binding is only to localhost IP, making it significantly less vulnerable. The vulnerability can be exploited by unauthenticated attackers to obtain cookies from logged-in users, allowing them to hijack a session of an administrative user. The theft of admin session cookies allows attackers to gain control over the FreePBX admin interface, enabling them to access sensitive data, modify system configurations, create backdoor accounts, and cause service disruption. This issue has been patched in version 16.0.68.39 for FreePBX 16 and version 17.0.18.38 for FreePBX 17.

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2025-64328

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to obtain remote access to the system as an asterisk user. This issue is fixed in version 17.0.3.

Products Affected

Vendor Product Version
sangoma freepbx *
sangoma firestore *
CVE-2025-66039

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2025-67722

FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated `amportal` utility, the lookup for the `freepbx_engine` file occurs in `/etc/asterisk/` directories. Typically, these are configured by FreePBX as writable by the **asterisk** user and any members of the **asterisk** group. This means that a member of the **asterisk** group can add their own `freepbx_engine` file in `/etc/asterisk/` and upon `amportal` executing, it would exec that file with root permissions (even though the file was created and placed by a non-root user). Version 16.0.45 and 17.0.24 contain a fix for the issue. Other mitigation strategies are also available. Confirm only trusted local OS system users are members of the `asterisk` group. Look for suspicious files in the `/etc/asterisk/` directory (via Admin -> Config Edit in the GUI, or via CLI). Double-check that `live_dangerously = no` is set (or unconfigured, as the default is **no**) in `/etc/asterisk/asterisk.conf` file. Eliminate any unsafe custom use of Asterisk dial plan applications and functions that potentially can manipulate the file system, e.g., System(), FILE(), etc.

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2025-67736

The FreePBX module tts (Text to Speech) for FreePBX, an open-source web-based graphical user interface (GUI) that manages Asterisk. Versions prior to 16.0.5 and 17.0.5 are vulnerable to SQL injection by authenticated users with administrator access. Authenticated users with administrative access to the Administrator Control Panel (ACP) can leverage this SQL injection vulnerability to extract sensitive information from the database and execute code on the system as the `asterisk` user with chained elevation to `root` privileges. Users should upgrade to version 16.0.5 or 17.0.5 to receive a fix.

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2026-23738

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 3.5 LOW CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk *
sangoma certified_asterisk 20.7
CVE-2026-23739

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 2.0 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 0.5 1.4

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk *
sangoma certified_asterisk 20.7
CVE-2026-23740

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 0.0 NONE CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N 1.8 0.0
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
sangoma certified_asterisk 13.13.0
sangoma certified_asterisk 16.8
sangoma asterisk *
sangoma certified_asterisk 18.9
sangoma certified_asterisk 20.7
sangoma certified_asterisk 16.8.0
CVE-2026-23741

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 0.0 NONE CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N 1.8 0.0

Products Affected

Vendor Product Version
sangoma asterisk *
sangoma certified_asterisk *
sangoma certified_asterisk 20.7
CVE-2026-28209

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2026-28210

FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7.

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2026-28284

FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5.

Products Affected

Vendor Product Version
sangoma freepbx *
CVE-2026-28287

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.

Products Affected

Vendor Product Version
sangoma freepbx *