PT-2026-44842 · Sangoma+1 · Freepbx+1
Mil1200
·
Publicado
2026-05-29
·
Atualizado
2026-05-29
·
CVE-2026-44237
CVSS v4.0
7.6
Alta
| Vetor | AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client id to obtain OAuth2 access tokens without providing the correct client secret. This vulnerability is fixed in 17.0.8.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Freepbx
Security-Reporting