CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 1CVE-2023-43336
https://notcve.org/view.php?id=CVE-2023-43336
02 Nov 2023 — Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a modified parameter value, e.g., changing extension=self to extension=101. Se descubrió que Sangoma Technologies FreePBX anterior a cdr 15.0.18, 16.0.40, 15.0.16 y 16.0.17 contenía un problema de control de acceso a través de un valor de parámetro modificado, por ejemplo, cambiando extensión=self a extensión=101. • http://freepbx.com • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-25090 – FreePBX arimanager Views cross site scripting
https://notcve.org/view.php?id=CVE-2019-25090
27 Dec 2022 — A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic. Affected by this issue is some unknown functionality of the component Views Handler. The manipulation of the argument dataurl leads to cross site scripting. The attack may be launched remotely. Upgrading to version 13.0.5.4 is able to address this issue. • https://github.com/FreePBX/arimanager/commit/199dea7cc7020d3c469a86a39fbd80f5edd3c5ab • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36630 – FreePBX cdr Cdr.class.php ajaxHandler sql injection
https://notcve.org/view.php?id=CVE-2020-36630
25 Dec 2022 — A vulnerability was found in FreePBX cdr 14.0. It has been classified as critical. This affects the function ajaxHandler of the file ucp/Cdr.class.php. The manipulation of the argument limit/offset leads to sql injection. Upgrading to version 14.0.5.21 is able to address this issue. • https://github.com/FreePBX/cdr/commit/f1a9eea2dfff30fb99d825bac194a676a82b9ec8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19852
https://notcve.org/view.php?id=CVE-2019-19852
16 Mar 2020 — An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. This affects cel through 13.0.26.9, 14.x through 14.0.2.14, and 15.x through 15.0.15.4. Se presenta una vulnerabilidad de Inyección XSS en Sangoma FreePBX y PBXact versiones 13, 14 y 15 dentro de la pantalla de reporte Call Event Logging en el módulo cel en el URI admin/config.php?display=cel por medio de cam... • https://wiki.freepbx.org/display/FOP/2020-01-09+XSS+Injection+vulnerability+in+Call+Event+Logging+module • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19615
https://notcve.org/view.php?id=CVE-2019-19615
16 Mar 2020 — Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/config.php?display=backup on the FreePBX Administrator web site. An attacker can modify the id parameter of the backup configuration screen and embed malicious XSS code via a link. When another user (such as an admin) clicks the link, the XSS payload will render and execute in the context of the victim user's account. Se presentan múltiples vulnerabilidades XSS en el módulo Backu... • https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 1%CPEs: 3EXPL: 0CVE-2019-19538
https://notcve.org/view.php?id=CVE-2019-19538
16 Mar 2020 — In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation. En Sangoma, los módulos FreePBX versiones 13 hasta 15 y sysadmin versiones 13.0.92 hasta 15.0.13.6 (también se conoce como System Admin), presentan una vulnerabilidad de Ejecución de Comandos Remota que resulta en una Escalada de Privilegios. • https://community.freepbx.org/t/freepbx-security-vulnerability-sec-2019-00 •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19851
https://notcve.org/view.php?id=CVE-2019-19851
16 Mar 2020 — An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through 13.0.4.7, 14.x through 14.0.24, and 15.x through 15.0.2.20. Se presenta una vulnerabilidad de Inyección de XSS en Sangoma FreePBX y PBXact versiones 13, 14 y 15, dentro de la página Debug/Test del módulo Superfecta en el URI admin/config.php?display=superfecta. • https://wiki.freepbx.org/display/FOP/2020-01-09+XSS+Injection+vulnerability+in+Superfecta+Module • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19551
https://notcve.org/view.php?id=CVE-2019-19551
06 Dec 2019 — In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not being properly sanitized. If this is done and a user (such as an admin) visits the User Management screen and views that user's profile, the XSS payload will render and execute in the context of the victim user's ... • https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19552
https://notcve.org/view.php?id=CVE-2019-19552
06 Dec 2019 — In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account. En userman versiones 13.0.76.43 hasta 15.0.20 en Sangoma FreePBX, s... • https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 3EXPL: 0CVE-2019-19006
https://notcve.org/view.php?id=CVE-2019-19006
21 Nov 2019 — Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. Sangoma FreePBX versión 115.0.16.26 y anteriores, versión 14.0.13.11 y anteriores, versión 13.0.197.13 y anteriores, presenta un Control de Acceso Incorrecto. • https://community.freepbx.org/t/freepbx-security-vulnerability-sec-2019-001/62772 • CWE-287: Improper Authentication •