/
2020-03-12 SECURITY: Potential Rest Phone Apps RCE

2020-03-12 SECURITY: Potential Rest Phone Apps RCE

Owned by Nathaniel Halbrooks
Last updated: Jan 31, 2024
1 min read

SEC-2020-004

CVE ID: CVE-2020-10666

Overview:

Remote execution vulnerabilities have been discovered in the ‘Rest Phone apps’ module for FreePBX 13, 14 and 15.

Discovered By:

Matthew Peterson  

Impact:

  • CVSS Base Score:7.4

  • Impact Subscore:5.2

  • Exploitability Subscore:2.2

  • CVSS Temporal Score:6.7

  • CVSS Environmental Score:35.6

  • Modified Impact Subscore:2.3

  • Overall CVSS Score:5.6

AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:X/MUI:N/MS:U/MC:X/MI:L/MA:X

Vulnerable software and versions:

The versions listed below (or less than)

  • restapps any version.

The following versions of fixes:

  • > restapps v13.0.93.2

  • > restapps v14.0.22.2

  • > restapps v15.0.19.2

Related Information

Official Bug ticket: https://issues.freepbx.org/browse/FREEI-950

Further Details:

Remote execution vulnerabilities exist in the Restapps / Phone apps module. A URL variable could potentially get passed into an AMI command, allowing an RCE.

The Sangoma and FreePBX team has deemed this a major security issue. We strongly encourage all users of FreePBX Distro to upgrade to the latest version of the restapps module. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@sangoma.com .

 

Return to Documentation Home I Return to Sangoma Support