PT-2026-60547 · Mwtcmi · Frogman
CVE-2026-46514
·
Publicado
2026-07-16
·
Atualizado
2026-07-16
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm reset password in Tools/ResetPassword.php:48-53 returned a plaintext password and fm add extension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode those responses into oc audit log.detail, allowing any PERM READ caller with access to fm audit search to recover the stored credentials. This issue is fixed in version 1.6.2.
Correção
Insertion into Log File
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Frogman