FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.
| Vendor | Product | Versions |
|---|---|---|
| freepbx | security-reporting | < 16.0.50, >= 17.0.1, < 17.0.11 |
Updated severity to CRITICAL, added affected versions 16.0.49 and 17.0.10, and noted that the vulnerability can be exploited remotely.
Initial creation