CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.6%
Added: 04/03/2014
CVE: CVE-2014-1903
BID: 65509
OSVDB: 103240
FreePBX is an open source telephony front-end, which has an easy to use graphical user interface that controls and manages Asterisk.
The Framework module of FreePBX is vulnerable to remote code execution as a result of improper sanitization of user-supplied input. The vulnerability is triggered when input passed as arguments to the **config.php**
script is not propery sanitized upon submission to the **admin/libraries/view.functions.php**
script. FreePBX versions 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 are vulnerable.
Upgrade to version 2.9.0.14, 2.10.1.15, 2.11.0.23, 12.0.1alpha22, or higher.
<http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice>
<http://issues.freepbx.org/browse/FREEPBX-7123>
<http://downloads.securityfocus.com/vulnerabilities/exploits/65509.php>
The **telnet**
application must exist on the target system.
Linux