CVE-2020-10666
https://notcve.org/view.php?id=CVE-2020-10666
The restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2 allows remote code execution via a URL variable to an AMI command. El módulo restapps (también se conoce como aplicaciones Rest Phone) para Sangoma FreePBX y PBXact versiones 13, 14 y 15 hasta 15.0.19.2, permite una ejecución de código remota por medio de una variable URL en un comando AMI • https://wiki.freepbx.org/display/FOP/2020-03-12+SECURITY%3A+Potential+Rest+Phone+Apps+RCE https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2019-19852
https://notcve.org/view.php?id=CVE-2019-19852
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. This affects cel through 13.0.26.9, 14.x through 14.0.2.14, and 15.x through 15.0.15.4. Se presenta una vulnerabilidad de Inyección XSS en Sangoma FreePBX y PBXact versiones 13, 14 y 15 dentro de la pantalla de reporte Call Event Logging en el módulo cel en el URI admin/config.php?display=cel por medio de campos de fecha. • https://wiki.freepbx.org/display/FOP/2020-01-09+XSS+Injection+vulnerability+in+Call+Event+Logging+module https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-19615
https://notcve.org/view.php?id=CVE-2019-19615
Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/config.php?display=backup on the FreePBX Administrator web site. An attacker can modify the id parameter of the backup configuration screen and embed malicious XSS code via a link. When another user (such as an admin) clicks the link, the XSS payload will render and execute in the context of the victim user's account. Se presentan múltiples vulnerabilidades XSS en el módulo Backup & Restore \ versiones v14.0.10.2 hasta v14.0.10.7 para FreePBX, como se muestra en /admin/config.php? • https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities https://wiki.freepbx.org/pages/viewpage.action?pageId=175177911 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-19538
https://notcve.org/view.php?id=CVE-2019-19538
In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation. En Sangoma, los módulos FreePBX versiones 13 hasta 15 y sysadmin versiones 13.0.92 hasta 15.0.13.6 (también se conoce como System Admin), presentan una vulnerabilidad de Ejecución de Comandos Remota que resulta en una Escalada de Privilegios. • https://community.freepbx.org/t/freepbx-security-vulnerability-sec-2019-00 https://wiki.freepbx.org/display/FOP/2019-12-03+Remote+Command+Execution •
CVE-2019-19851
https://notcve.org/view.php?id=CVE-2019-19851
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through 13.0.4.7, 14.x through 14.0.24, and 15.x through 15.0.2.20. Se presenta una vulnerabilidad de Inyección de XSS en Sangoma FreePBX y PBXact versiones 13, 14 y 15, dentro de la página Debug/Test del módulo Superfecta en el URI admin/config.php?display=superfecta. • https://wiki.freepbx.org/display/FOP/2020-01-09+XSS+Injection+vulnerability+in+Superfecta+Module https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •