An SQL Injection vulnerability exists in FreePBX 13 and 14 in the Disa module listed under "Vulnerable software and versions" section
Note: Disa 15 is not affected
DcLabs Security Research Group
Ewerson Guimarães (Crash) - Dclabs <crash(at)dclabs(dot)com(dot)br>
CVSS 3 Details:
- CVSS Base Score: 3.9
- Impact Subscore: 3.4
- Exploitability Subscore: 0.5
- CVSS Temporal Score: 3.5
- CVSS Environmental Score: 2.6
- Modified Impact Subscore: 1.9
- Overall CVSS Score: 2.6
Vulnerable software and versions:
The versions listed below (or less than)
- < disa v126.96.36.199
The following versions of fixes:
- >= disa v188.8.131.52
The user has to be previously authenticated as a FreePBX administrator and be tricked into clicking an external link that would generate the SQL injection.
SQL injections can be used to modify the database against a user's will.
The Sangoma and FreePBX team has deemed this a minor security issue. We strongly encourage all users of FreePBX 13and 14 to upgrade to the latest disa version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see http://wiki.freepbx.org/display/FPG/Module+Admin+User+Guide.
Sangoma takes security seriously and request that any future FreePBX security issue be reported at email@example.com.