CVE-2023-26567
https://notcve.org/view.php?id=CVE-2023-26567
Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables. This exposes cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface. For example, an attacker can make a /ari/asterisk/variable?variable=AMPDBPASS API call. • https://qsecure.com.cy/resources/advisories/sangoma-freepbx-linux-insecure-permissions https://www.freepbx.org https://www.sangoma.com/products/open-source • CWE-522: Insufficiently Protected Credentials •
CVE-2019-25090 – FreePBX arimanager Views cross site scripting
https://notcve.org/view.php?id=CVE-2019-25090
A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic. Affected by this issue is some unknown functionality of the component Views Handler. The manipulation of the argument dataurl leads to cross site scripting. The attack may be launched remotely. Upgrading to version 13.0.5.4 is able to address this issue. • https://github.com/FreePBX/arimanager/commit/199dea7cc7020d3c469a86a39fbd80f5edd3c5ab https://github.com/FreePBX/arimanager/releases/tag/release%2F13.0.5.4 https://vuldb.com/?ctiid.216878 https://vuldb.com/?id.216878 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-4283 – FreeBPX voicemail Settings ssettings.php cross site scripting
https://notcve.org/view.php?id=CVE-2021-4283
A vulnerability was found in FreeBPX voicemail. It has been rated as problematic. Affected by this issue is some unknown functionality of the file views/ssettings.php of the component Settings Handler. The manipulation of the argument key leads to cross site scripting. The attack may be launched remotely. • https://github.com/FreePBX/voicemail/commit/ffce4882016076acd16fe0f676246905aa3cb2f3 https://github.com/FreePBX/voicemail/releases/tag/release%2F14.0.6.25 https://vuldb.com/?ctiid.216872 https://vuldb.com/?id.216872 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-4282 – FreePBX voicemail page.voicemail.php cross site scripting
https://notcve.org/view.php?id=CVE-2021-4282
A vulnerability was found in FreePBX voicemail. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file page.voicemail.php. The manipulation leads to cross site scripting. The attack can be launched remotely. • https://github.com/FreePBX/voicemail/commit/12e1469ef9208eda9d8955206e78345949236ee6 https://github.com/FreePBX/voicemail/releases/tag/release%2F14.0.6.25 https://vuldb.com/?ctiid.216871 https://vuldb.com/?id.216871 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-36630 – FreePBX cdr Cdr.class.php ajaxHandler sql injection
https://notcve.org/view.php?id=CVE-2020-36630
A vulnerability was found in FreePBX cdr 14.0. It has been classified as critical. This affects the function ajaxHandler of the file ucp/Cdr.class.php. The manipulation of the argument limit/offset leads to sql injection. Upgrading to version 14.0.5.21 is able to address this issue. • https://github.com/FreePBX/cdr/commit/f1a9eea2dfff30fb99d825bac194a676a82b9ec8 https://github.com/FreePBX/cdr/releases/tag/release%2F14.0.5.21 https://vuldb.com/?ctiid.216771 https://vuldb.com/?id.216771 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •