CVE Name: CVE-2020-24351
A XSS Injection vulnerability exists in FreePBX 13 and 14 between logfiles module versions.
Discovered By :
Florian Hauser <florian.g.hauser[at]gmail[dot]com>
CVSS Base Score:5.0
CVSS Temporal Score:4.7
CVSS Environmental Score:3.6
Modified Impact Subscore:3.4
Overall CVSS Score:3.6
Vulnerable software and versions:
FreePBX13 - module: logfiles, affected version: <=188.8.131.52 , fixed version: 184.108.40.206
FreePBX14 - module: logfiles, affected version: <=220.127.116.11 , fixed version: 18.104.22.168
Official Bug ticket : https://issues.freepbx.org/browse/FREEI-1789
A maliciously named log file improperly sanitized can cause unintended direct database access.
The Sangoma and FreePBX team has deemed this a minor security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest logfiles version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see http://wiki.freepbx.org/display/FPG/Module+Admin+User+Guide.
Sangoma takes security seriously and requests that any future FreePBX security issue be reported at email@example.com.