2020-08-17 XSS Vulnerability In logfiles
SEC-2020-005
CVE Name: CVE-2020-24351
Overview:
A XSS Injection vulnerability exists in FreePBX 13 and 14 between logfiles module versions.
Discovered By :
Florian Hauser <florian.g.hauser[at]gmail[dot]com>
Impact:
CVSS Base Score:5.0
Impact Subscore:4.0
Exploitability Subscore:0.6
CVSS Temporal Score:4.7
CVSS Environmental Score:3.6
Modified Impact Subscore:3.4
Overall CVSS Score:3.6
Vulnerable software and versions:
FreePBX13 - module: logfiles, affected version: <=13.0.10.9 , fixed version: 13.0.10.10
FreePBX14 - module: logfiles, affected version: <=13.0.10.8 , fixed version: 13.0.10.10
Related Information:
Official Bug ticket : https://issues.freepbx.org/browse/FREEI-1789
Further Details:
A maliciously named log file improperly sanitized can cause unintended direct database access.
The Sangoma and FreePBX team has deemed this a minor security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest logfiles version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .
Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@freepbx.org.