2016-01-06 SQL Injection CVE

Owned by Nathaniel Halbrooks
Last updated: Jan 31, 2024
1 min read

SEC-2016-001

Overview:

A SQL Injection vulnerability exists in FreePBX 13 between Framework Module versions 13.0.1alpha71 and 13.0.47.

Impact:

CVSS 3 Details:

  • Base Score: 8.6

  • Temporal Score: 8.0

  • Environmental Score: 8.3

 

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:F/RL:O/RC:C/CR:L/IR:M/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:L

Vulnerable software and versions:

FreePBX 13, between July 2015 (13.0.1alpha71) and January 2016 (13.0.47). Note that FreePBX 12 and earlier are not affected. This has been fixed in versions 13.0.48 and higher.

Related Information

Official Bug ticket : http://issues.freepbx.org/browse/FREEPBX-11252

Further Details:

FreePBX 13, between July 2015 (framework 13.0.1alpha71) and January 2016 (framework 13.0.47) was susceptible to a SQL Injection vulnerability that allowed access and modification to FreePBX database tables.

The Sangoma and FreePBX team has deemed this a serious security issue, after the exploit was discovered in the wild, and immediately released a patch to resolve it. We strongly encourage all users of FreePBX 13 to upgrade to the latest framework version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

Workaround:

If you are running a vulnerable version of the FreePBX 13 Framework module and unable to upgrade, make sure that your Admin interface is not accessible from the open Internet.

Return to Documentation Home I Return to Sangoma Support