CVE-2009-1801

Name of the Vulnerable Software and Affected Versions: FreePBX versions 2.4.x through 2.5.1 FreePBX pre-release versions 2.6.x

Description: The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the display parameter to "reports.php", the order and extdisplay parameters to "config.php", and the sort parameter to "recordings/index.php".

Recommendations: For FreePBX versions 2.4.x through 2.5.1, consider restricting access to the affected parameters display, order, extdisplay, and sort in their respective files until a patch is available. For FreePBX pre-release versions 2.6.x, restrict access to the same parameters to minimize the risk of exploitation. As a temporary workaround, consider disabling the affected API endpoints "reports.php", "config.php", and "recordings/index.php" until a patch is available.