[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2014-1903] FreePBX 2.9 through 12 RCE

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [CVE-2014-1903] FreePBX 2.9 through 12 RCE
From: rob.thomas@xxxxxxxxxxxxxxx
Date: Tue, 11 Feb 2014 23:44:36 GMT

Overview:
Unauthenticated user-level Remote Code Execution (RCE) vulnerability in 
admin/config.php, the main interface to FreePBX.  This bug was introduced in 
FreePBX 2.9, earlier versions are not affected.

Score - 8.4 
(AV:N/AC:L/Au:N/C:P/I:P/A:C/E:H/RL:OF/RC:C/CDP:MH/TD:ND/CR:L/IR:L/AR:M)

Reference to Advisory:
http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice

Reference to Bug:
http://issues.freepbx.org/browse/FREEPBX-7123

Fixed in Versions:
2.9 -- 2.9.0.14
2.10 - 2.10.1.15
2.11 - 2.11.0.23
12 - 12.0.1alpha22

Additional Information:
FreePBX contains an automatic alert service for upgrade notifications. If your 
system is set up correctly, you would have received an email alert of this 
vulnerability when it was detected and fixed.  Schmoozecom strongly urges you 
to ensure that the email alert address is correct and up to date to ensure you 
receive notifications of security issues and pending updates.

Schmoozecom and FreePBX are very proactive and responsive to security issues, 
and care deeply about the security of our software and systems. We welcome 
security related bug reports and issues, and they can be submitted via email to 
security@xxxxxxxxxxx for instant attention.

Prev by Date: [SECURITY] [DSA 2860-1] parcimonie security update
Next by Date: [SECURITY] [DSA 2850-2] libyaml regression update
Previous by thread: [SECURITY] [DSA 2860-1] parcimonie security update
Next by thread: [SECURITY] [DSA 2850-2] libyaml regression update
Index(es):
- Date
- Thread