2020-08-17 SQL Injection In cel module

SEC-2020-006
SQL Injection: CVE-TBD
Overview:
- A SQL Injection vulnerability exists in FreePBX 13, 14, and 15 between cel module versions.
Discovered By:

NCC Group Security Advisory

https://www.nccgroup.com

Author : Bill Marquette <bill.marquette[at]nccgroup[dot]com>

Impact:

CVSS Base Score:7.6

Impact Subscore:6.0

Exploitability Subscore:1.0

CVSS Temporal Score:7.2

CVSS Environmental Score:6.0

Modified Impact Subscore:5.9

Overall CVSS Score:6.0

AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:L/MAC:H/MPR:H/MUI:R/MS:U/MC:H/MI:H/MA:H

Vulnerable software and versions:
- FreePBX13 - module: cel, affected version: <=13.0.26.10 , fixed version: 13.0.26.12
- FreePBX14 - module: cel, affected version: <=14.0.2.16 , fixed version: 14.0.4
- FreePBX15 - module: cel, affected version: <=15.0.15.8 , fixed version: 15.0.15.10
Related Information:
- Official Bug ticket : https://issues.freepbx.org/browse/FREEI-1762
Further Details:

FreePBX 13,14 & 15 were susceptible to a SQL Injection vulnerability in the cel module that allowed access and modification to FreePBX database tables.

The Sangoma and FreePBX team has deemed this a serious security issue, after the exploit was discovered in the wild, and immediately released a patch to resolve it. We strongly encourage all users of FreePBX 13 to upgrade to the latest cel version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@freepbx.org.

FreePBX Open Source

2020-08-17 SQL Injection In cel module

Return to Documentation Home I Return to Sangoma Support