Page tree
Skip to end of metadata
Go to start of metadata


  • SEC-2020-005

  • CVE Name: CVE-2020-24351

  • Overview:

    • A XSS Injection vulnerability exists in FreePBX 13 and 14 between logfiles module versions.


  • Discovered By : 

    • Florian Hauser <florian.g.hauser[at]gmail[dot]com>

  • Impact:

CVSS Base Score:5.0

Impact Subscore:4.0

Exploitability Subscore:0.6

CVSS Temporal Score:4.7

CVSS Environmental Score:3.6

Modified Impact Subscore:3.4

Overall CVSS Score:3.6 

AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H/E:P/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:H/MPR:H/MUI:R/MS:U/MC:L/MI:L/MA:L

  • Vulnerable software and versions:

    • FreePBX13 - module: logfiles, affected version: <=13.0.10.9 , fixed version: 13.0.10.10

    • FreePBX14 - module: logfiles, affected version: <=13.0.10.8 , fixed version: 13.0.10.10


  • Related Information:

  • Further Details:

A maliciously named log file improperly sanitized can cause unintended direct database access.

The Sangoma and FreePBX team has deemed this a minor security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest logfiles version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see http://wiki.freepbx.org/display/FPG/Module+Admin+User+Guide.

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@freepbx.org.

  • No labels