2021-10-06 SQL Injection vulnerability in Superfecta Module

• SEC- 2021-012

• CVE Name :CVE-2021-42003.

• Overview

  • A SQL Injection exists in FreePBX 16,15, 14 and 13  in superfecta Module

• Discovered By :  Philip Pemberton <philpem@gmail.com>

• Impact : 

CVSS Base Score:4.5

Impact Subscore:3.7

Exploitability Subscore:0.4

CVSS Temporal Score:4.1

CVSS Environmental Score:2.1

Modified Impact Subscore:1.9

Overall CVSS Score:2.1

AV:P/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:P/MAC:H/MPR:L/MUI:N/MS:U/MC:L/MI:L/MA:L

• Vulnerable software and versions

  • FreePBX13 - module: superfecta , affected version: <= 13.0.4.9. fix version: 13.0.4.10

  • FreePBX14 - module: superfecta , affected version: <= 14.0.29. fix version: 14.0.30

  • FreePBX15 - module: superfecta , affected version: <= 15.0.2.32 fix version: 15.0.2.33

  • FreePBX16 - module: superfecta , affected version: <= 16.0.11. fixed version: 16.0.12

• Related Information

• Official Bug ticket :  https://issues.freepbx.org/browse/FREEI-3731

• Further Details
  Superfecta Module 

SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.
This information may include any number of items, including sensitive company data, user lists or private customer details.

So, to prevent this we used a parameterized query. A parameterized query is a query in which placeholders are used for parameters and the parameter values are supplied at execution time.
So, I have used a inbuilt function which is used to bind a parameter to the specified variable name This function bount the variables, pass their value as input and receive the output value and supplied this all at execution time

The Sangoma and FreePBX team has deemed this a minor security issue. We strongly encourage all users of FreePBX 13, 14, 15 and 16 to upgrade to the latest superfecta  version. This can be done from