admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 02:05
Type | Values Removed | Values Added |
---|---|---|
References | () http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0097.html - | |
References | () http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0111.html - | |
References | () http://code.freepbx.org/changelog/FreePBX_Framework?cs=a29382efeb293ef4f42aa9b841dfc8eabb2d1e03 - | |
References | () http://code.freepbx.org/changelog/FreePBX_SVN?cs=16429 - | |
References | () http://issues.freepbx.org/browse/FREEPBX-7117 - Vendor Advisory | |
References | () http://issues.freepbx.org/browse/FREEPBX-7123 - Vendor Advisory | |
References | () http://osvdb.org/103240 - | |
References | () http://packetstormsecurity.com/files/125166/FreePBX-2.x-Code-Execution.html - | |
References | () http://packetstormsecurity.com/files/125215/FreePBX-2.9-Remote-Code-Execution.html - | |
References | () http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice - | |
References | () http://www.securityfocus.com/archive/1/531040/100/0/threaded - | |
References | () https://github.com/0x00string/oldays/blob/master/CVE-2014-1903.pl - |
Information
Published : 2014-02-18 11:55
Updated : 2024-11-21 02:05
NVD link : CVE-2014-1903
Mitre link : CVE-2014-1903
CVE.ORG link : CVE-2014-1903
JSON object : View
Products Affected
freepbx
- freepbx
sangoma
- freepbx
CWE
CWE-264
Permissions, Privileges, and Access Controls