FreePBX Open Source - 2020-08-17 XSS Vulnerability In logfiles

Table of Contents

1 SEC-2020-A005
2 Overview:
3 Impact:
4 Vulnerable software and versions:
5 Related Information:
6 Further Details:

SEC-2020-A005

CVE Name: CVE-2020-24351

Overview:

A XSS Injection vulnerability exists in FreePBX 13 and 14 between logfiles module versions.
Discovered By :
- Florian Hauser <florian.g.hauser[at]gmail[dot]com>

Impact:

CVSS Base Score:5.0

Impact Subscore:4.0

Exploitability Subscore:0.6

CVSS Temporal Score:4.7

CVSS Environmental Score:3.6

Modified Impact Subscore:3.4

Overall CVSS Score:3.6

AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H/E:P/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:H/MPR:H/MUI:R/MS:U/MC:L/MI:L/MA:L

Vulnerable software and versions:

FreePBX13 - module: logfiles, affected version: <=13.0.10.9 , fixed version: 13.0.10.10
FreePBX14 - module: logfiles, affected version: <=13.0.10.8 , fixed version: 13.0.10.10

Related Information:

Official Bug ticket : https://issues.freepbx.org/browse/FREEI-1789

Further Details:

A maliciously named log file improperly sanitized can cause unintended direct database access.

The Sangoma and FreePBX team has deemed this a minor security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest logfiles version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see PBX GUI - Module Admin User Guide .

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@freepbx.org.