CVE ID: CVE-2023-41903.
The FreePBX modules and versions noted below have an authentication vulnerability in the Rest Phone Apps module that potentially allows for unauthorized users to bypass password authentication and access services provided by the Phone Apps module.
Discovered By: Systems Research Group <firstname.lastname@example.org>
CVSS Base Score:7.3
CVSS Temporal Score:6.6
CVSS Environmental Score:5.2
Modified Impact Subscore:1.9
Overall CVSS Score:5.2
Vulnerable software and versions:
The following minimum modules/versions are fixed:
FreePBX 15 -
- Endpoint Manager v15.0.65
FreePBX 16 -
- Endpoint Manager v16.0.86
FreePBX has an authentication vulnerability in the Phone Rest Apps module that potentially allows unauthorized users to bypass password authentication and access services provided by the Phone Apps module.
The Sangoma and FreePBX engineering team has deemed this a minor security issue. We strongly encourage all users of FreePBX Distro to upgrade to the latest versions noted above. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see http://wiki.freepbx.org/display/FPG/Module+Admin+User+Guide.