Headline

CVE-2019-16965: FusionPBX Sofia API command injection 2/2

resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.

5 years ago

CVE

Open in Source

#vulnerability #web #git #php #auth

A system command can be passed to FreeSwitch Sofia API in URL argument cmd of the web page resources/cmd.php.

As part of general resources in FusionPBX up to v4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=14811194-6897-4e22-9110-b5767d46a536

Fix: https://github.com/fusionpbx/fusionpbx/commit/6baad9af1bc55c80b793af3bd1ac35b39c20b173
Issue was reported by Pierre Jourdan on 15/08/2019 and fixed same day on 4.4 and master branches by Mark J Crane.

CVE published, NVD base score is 7.2 HIGH:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16965
https://nvd.nist.gov/vuln/detail/CVE-2019-16965

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

10 months ago

10 months ago

10 months ago

10 months ago

10 months ago