Zero-day vulnerability in Phone Apps

Input validation error

Vulnerability details

Advisory: SB2021122228 - Remote code execution in FreePBX Phone Apps module

Vulnerable component: Phone Apps

CVE-ID: CVE-2021-45461

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-20 - Improper input validation


The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in the Phone Apps (restapps) module for FreePBX. A remote attacker can send specially crafted input to the application and execute arbitrary code on the system.

Note, the vulnerability is being actively exploited in the wild.

External links: