CVE-2018-19911

Name of the Vulnerable Software and Affected Versions FreeSWITCH versions prior to 1.8.3

Description The issue allows remote attackers to execute arbitrary commands when mod xml rpc is enabled. This can be achieved via the api/system or txtapi/system (or api/bg system or txtapi/bg system) query string on TCP port 8080. For example, an attacker can use an api/system?calc URI to exploit this. Additionally, this can also be exploited via CSRF. In some cases, the default password for the freeswitch account can be used.

Recommendations For FreeSWITCH versions prior to 1.8.3, update to version 1.8.3 or later to resolve the issue. As a temporary workaround, consider disabling the mod xml rpc module until a patch is available. Restrict access to the TCP port 8080 to minimize the risk of exploitation. Change the default password for the freeswitch account to prevent unauthorized access.