Advisory: SB2021122228 - Remote code execution in FreePBX Phone Apps module
Vulnerable component: Phone Apps
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-20 - Improper input validation
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in the Phone Apps (restapps) module for FreePBX. A remote attacker can send specially crafted input to the application and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
https://community.freepbx.org/t/security-issue-potential-rest-phone-apps-rce/80109 https://wiki.freepbx.org/display/FOP/2021-12-21+SECURITY%3A+Potential+Rest+Phone+Apps+RCE https://community.freepbx.org/t/0-day-freepbx-exploit/80092