RSS   Podatności dla 'Freepbx'   RSS

2019-11-21
 
CVE-2019-19006

CWE-863
 

 
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.

 
2019-06-20
 
CVE-2018-15891

CWE-79
 

 
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.

 
2018-01-29
 
CVE-2018-6393

CWE-89
 

 
** DISPUTED ** FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the vendor disputes this issue because it is intentional that a user can "directly modify SQL tables ... [or] run shell scripts ... once ... logged in to the administration interface; there is no need to try to find input validation errors."

 
2014-10-07
 
CVE-2014-7235

 

 
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.

 
2014-02-18
 
CVE-2014-1903

CWE-264
 

 
admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.

 
2012-09-06
 
CVE-2012-4870

CWE-79
 

 
Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) context parameter to panel/index_amp.php or (2) panel/dhtml/index.php; (3) clid or (4) clidname parameters to panel/flash/mypage.php; (5) PATH_INFO to admin/views/freepbx_reload.php; or (6) login parameter to recordings/index.php.

 
 
CVE-2012-4869

CWE-94
 

 
The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.

 
2010-09-28
 
CVE-2010-3490

CWE-22
 

 
Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the usersnum parameter to admin/config.php, as demonstrated by creating a .php file under the web root.

 
2009-12-29
 
CVE-2009-4458

CWE-79
 

 
Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.2 and 2.6.0rc2, and possibly other versions, allow remote attackers to inject arbitrary web script or HTML via the (1) tech parameter to admin/admin/config.php during a trunks display action, the (2) description parameter during an Add Zap Channel action, and (3) unspecified vectors during an Add Recordings action.

 
2009-05-28
 
CVE-2009-1803

CWE-200
 

 
FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error messages for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.

 


Copyright 2024, cxsecurity.com

 

Back to Top