CVSS: 9.8EPSS: 84%CPEs: 2EXPL: 10CVE-2012-4869 – FreePBX 2.9.0/2.10.0 - 'callmenum' Remote Code Execution
https://notcve.org/view.php?id=CVE-2012-4869
06 Sep 2012 — The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action. La función callme_startcall en recordings/misc/callme_page.php en FreePBX v2.9, v2.10 y anteriores permite a atacantes remotos ejecutar comandos arbitrarios a través del parámetro callmenum en acción alterna. • https://www.exploit-db.com/exploits/18659 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 8%CPEs: 1EXPL: 5CVE-2012-4870 – FreePBX 2.9.0/2.10.0 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-4870
06 Sep 2012 — Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) context parameter to panel/index_amp.php or (2) panel/dhtml/index.php; (3) clid or (4) clidname parameters to panel/flash/mypage.php; (5) PATH_INFO to admin/views/freepbx_reload.php; or (6) login parameter to recordings/index.php. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en FreePBX v2.9 y anteriores permite a atacantes re... • https://www.exploit-db.com/exploits/18649 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 9%CPEs: 1EXPL: 3CVE-2010-3490 – FreePBX 2.8.0 - Recordings Interface Allows Remote Code Execution
https://notcve.org/view.php?id=CVE-2010-3490
28 Sep 2010 — Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the usersnum parameter to admin/config.php, as demonstrated by creating a .php file under the web root. Multiples vulnerabilidades de salto de directorio en page.recordings.php en el componente System Recordings en la interface de cofiguración en interfaz en FreePBX v2... • https://www.exploit-db.com/exploits/15098 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2009-1801
https://notcve.org/view.php?id=CVE-2009-1801
28 May 2009 — Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to inject arbitrary web script or HTML via the (1) display parameter to reports.php, the (2) order and (3) extdisplay parameters to config.php, and the (4) sort parameter to recordings/index.php. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados(XSS) en Fre... • http://freepbx.org/trac/ticket/3660 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 12EXPL: 0CVE-2009-1802
https://notcve.org/view.php?id=CVE-2009-1802
28 May 2009 — Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to hijack the authentication of admins for requests that create a new admin account or have unspecified other impact. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en FreePBX 2.5.1, y otros 2.4.x, 2.5.x, y versiones pre-lanzamiento 2.6.x, permiten a atacantes remotos secuestrar la autenticación de administradores en pe... • http://freepbx.org/trac/ticket/3660 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 12EXPL: 0CVE-2009-1803
https://notcve.org/view.php?id=CVE-2009-1803
28 May 2009 — FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error messages for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. FreePBX v2.5.1, v2.4.x, v2.5.x, y pre-release v2.6.x, genera distintos errores tras intentos de login fallidos dependiendo de si la cuenta de usuario existe o no, lo que permite a atacantes remotos listar nombres de usuarios váalidos. • http://freepbx.org/trac/ticket/3660 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •