FreePBX OpenSource Project: SEC-2023-002

Owned by Kelli Higdon
Oct 08, 2024
1 min read

SEC-2023-002

CVE ID:  CVE-2023-44274

Overview:

The FreePBX modules and versions noted below have a vulnerability which allows an authenticated user with normal user privileges to execute arbitrary system commands by exploiting a flaw in the application's request processing mechanism. Specifically, the issue manifests when a crafted request is sent to the GQL token endpoint.

 

Discovered By:  Systems Research Group <systems.research.group@protonmail.com> 

Impact:

CVSS Base Score:4.2

Impact Subscore:3.4

Exploitability Subscore:0.8

CVSS Temporal Score:3.8

CVSS Environmental Score:5.4

Modified Impact Subscore:3.5

Overall CVSS Score:5.4

 

AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:R/CR:H/IR:H/AR:M/MAV:L/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:L/MA:N

 

Vulnerable software and versions:

The following minimum modules/versions are fixed: 

FreePBX 15 API module - v15.0.11+

FreePBX 16 API Module - v16.0.13+

Further Details:

FreePBX has an authentication vulnerability in the API module that potentially allows authenticated administrators to execute arbitrary system commands by exploiting a flaw in the application's request processing mechanism.

The Sangoma and FreePBX engineering team has deemed this a minor security issue. We strongly encourage all users of FreePBX Distro to upgrade to the latest versions noted above. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please seehttp://wiki.freepbx.org/display/FPG/Module+Admin+User+Guide .

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@sangoma.com.

Return to Documentation Home I Return to Sangoma Support