PT-2026-60547 · Mwtcmi · Frogman

CVE-2026-46514

·

Publicado

2026-07-16

·

Atualizado

2026-07-16

CVSS v3.1

6.5

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm reset password in Tools/ResetPassword.php:48-53 returned a plaintext password and fm add extension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode those responses into oc audit log.detail, allowing any PERM READ caller with access to fm audit search to recover the stored credentials. This issue is fixed in version 1.6.2.

Correção

Insertion into Log File

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-46514

Produtos afetados

Frogman