FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.
| Vendor | Product | Versions |
|---|---|---|
| freepbx | security-reporting | < 16.0.22, >= 17.0.1, < 17.0.5 |
Updated severity to CRITICAL, added new description details, and noted that the vulnerability is actively exploited.
Initial creation