CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-43336
https://notcve.org/view.php?id=CVE-2023-43336
Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a modified parameter value, e.g., changing extension=self to extension=101. Se descubrió que Sangoma Technologies FreePBX anterior a cdr 15.0.18, 16.0.40, 15.0.16 y 16.0.17 contenía un problema de control de acceso a través de un valor de parámetro modificado, por ejemplo, cambiando extensión=self a extensión=101. • http://freepbx.com http://sangoma.com https://medium.com/%40janirudransh/security-disclosure-of-vulnerability-cve-2023-23336-4429d416f826 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36630 – FreePBX cdr Cdr.class.php ajaxHandler sql injection
https://notcve.org/view.php?id=CVE-2020-36630
A vulnerability was found in FreePBX cdr 14.0. It has been classified as critical. This affects the function ajaxHandler of the file ucp/Cdr.class.php. The manipulation of the argument limit/offset leads to sql injection. Upgrading to version 14.0.5.21 is able to address this issue. • https://github.com/FreePBX/cdr/commit/f1a9eea2dfff30fb99d825bac194a676a82b9ec8 https://github.com/FreePBX/cdr/releases/tag/release%2F14.0.5.21 https://vuldb.com/?ctiid.216771 https://vuldb.com/?id.216771 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19852
https://notcve.org/view.php?id=CVE-2019-19852
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. This affects cel through 13.0.26.9, 14.x through 14.0.2.14, and 15.x through 15.0.15.4. Se presenta una vulnerabilidad de Inyección XSS en Sangoma FreePBX y PBXact versiones 13, 14 y 15 dentro de la pantalla de reporte Call Event Logging en el módulo cel en el URI admin/config.php?display=cel por medio de campos de fecha. • https://wiki.freepbx.org/display/FOP/2020-01-09+XSS+Injection+vulnerability+in+Call+Event+Logging+module https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19615
https://notcve.org/view.php?id=CVE-2019-19615
Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/config.php?display=backup on the FreePBX Administrator web site. An attacker can modify the id parameter of the backup configuration screen and embed malicious XSS code via a link. When another user (such as an admin) clicks the link, the XSS payload will render and execute in the context of the victim user's account. Se presentan múltiples vulnerabilidades XSS en el módulo Backup & Restore \ versiones v14.0.10.2 hasta v14.0.10.7 para FreePBX, como se muestra en /admin/config.php? • https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities https://wiki.freepbx.org/pages/viewpage.action?pageId=175177911 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19538
https://notcve.org/view.php?id=CVE-2019-19538
In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation. En Sangoma, los módulos FreePBX versiones 13 hasta 15 y sysadmin versiones 13.0.92 hasta 15.0.13.6 (también se conoce como System Admin), presentan una vulnerabilidad de Ejecución de Comandos Remota que resulta en una Escalada de Privilegios. • https://community.freepbx.org/t/freepbx-security-vulnerability-sec-2019-00 https://wiki.freepbx.org/display/FOP/2019-12-03+Remote+Command+Execution •