An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.
CPE | Name | Operator | Version |
---|---|---|---|
freepbx | eq | 15.0.1 | |
freepbx | lt | 13.0.122.43 | |
freepbx | ge | 14.0.0 | |
freepbx | lt | 14.0.18.34 | |
freepbx | eq | 15.0.1 beta4 | |
freepbx | ge | 15.0.0 | |
freepbx | le | 15.0.1 |