Home page logo
/

bugtraq logo Bugtraq mailing list archives

[CVE-2014-1903] FreePBX 2.9 through 12 RCE
From: rob.thomas () schmoozecom com
Date: Tue, 11 Feb 2014 23:44:36 GMT

Overview:
Unauthenticated user-level Remote Code Execution (RCE) vulnerability in admin/config.php, the main interface to 
FreePBX.  This bug was introduced in FreePBX 2.9, earlier versions are not affected.

Score - 8.4 
(AV:N/AC:L/Au:N/C:P/I:P/A:C/E:H/RL:OF/RC:C/CDP:MH/TD:ND/CR:L/IR:L/AR:M)

Reference to Advisory:
http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice

Reference to Bug:
http://issues.freepbx.org/browse/FREEPBX-7123

Fixed in Versions:
2.9 -- 2.9.0.14
2.10 - 2.10.1.15
2.11 - 2.11.0.23
12 - 12.0.1alpha22

Additional Information:
FreePBX contains an automatic alert service for upgrade notifications. If your system is set up correctly, you would 
have received an email alert of this vulnerability when it was detected and fixed.  Schmoozecom strongly urges you to 
ensure that the email alert address is correct and up to date to ensure you receive notifications of security issues 
and pending updates.

Schmoozecom and FreePBX are very proactive and responsive to security issues, and care deeply about the security of our 
software and systems. We welcome security related bug reports and issues, and they can be submitted via email to 
security () freepbx org for instant attention.


  By Date           By Thread  

Current thread:
  • [CVE-2014-1903] FreePBX 2.9 through 12 RCE rob . thomas (Feb 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]