CVE-2014-1903

2014-02-1811:55:16

CWE-264

mitre

web.nvd.nist.gov

freepbx

remote code execution

cve-2014-1903

nvd

security advisory

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.5

Confidence

Low

EPSS

0.964

Percentile

99.6%

JSON

admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.

Affected configurations

Nvd

Node

freepbxfreepbxMatch2.10

freepbxfreepbxMatch2.11

freepbxfreepbxMatch2.12

sangomafreepbxMatch2.9

VendorProductVersionCPE
freepbxfreepbx2.10cpe:2.3:a:freepbx:freepbx:2.10:*:*:*:*:*:*:*
freepbxfreepbx2.11cpe:2.3:a:freepbx:freepbx:2.11:*:*:*:*:*:*:*
freepbxfreepbx2.12cpe:2.3:a:freepbx:freepbx:2.12:*:*:*:*:*:*:*
sangomafreepbx2.9cpe:2.3:a:sangoma:freepbx:2.9:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
freepbx	freepbx	2.10	cpe:2.3:a:freepbx:freepbx:2.10:::::::*
freepbx	freepbx	2.11	cpe:2.3:a:freepbx:freepbx:2.11:::::::*
freepbx	freepbx	2.12	cpe:2.3:a:freepbx:freepbx:2.12:::::::*
sangoma	freepbx	2.9	cpe:2.3:a:sangoma:freepbx:2.9:::::::*