FreePBX versions 22.214.171.124 and below, 126.96.36.199 and below, 188.8.131.52 and below has a serious authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.
CVSS 3 Details:
- CVSS Base Score: 9.4
- Impact Subscore: 5.5
- Exploitability Subscore: 3.9
- CVSS Temporal Score: 9.0
- CVSS Environmental Score: 7.6
- Modified Impact Subscore: 4.0
- Overall CVSS Score: 7.6
Vulnerable software and versions:
The versions listed below (or less than)
- >= framework v184.108.40.206
- >= framework v220.127.116.11
- >= framework v18.104.22.168
Official Bug ticket:
Jira server Sangoma Issue Tracker columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId e92353c0-f3a7-39d2-b4d7-d9f29fa97c92 key FREEPBX-20791
The Sangoma and FreePBX team has deemed this a major security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest core version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see http://wiki.freepbx.org/display/FPG/Module+Admin+User+Guide.
Sangoma takes security seriously and request that any future FreePBX security issue be reported at firstname.lastname@example.org.