SEC-2023-002
CVE ID: CVE-2023-44274
Overview:
The FreePBX modules and versions noted below have a vulnerability which allows an authenticated user with normal user privileges to execute arbitrary system commands by exploiting a flaw in the application's request processing mechanism. Specifically, the issue manifests when a crafted request is sent to the GQL token endpoint.
...
FreePBX 16 API Module - v16.0.13+
Further Details:
FreePBX has an authentication vulnerability in the API module that potentially allows authenticated administrators to execute arbitrary system commands by exploiting a flaw in the application's request processing mechanism.
...