PT-2026-60548 · Mwtcmi · Frogman

CVE-2026-46515

·

Publicado

2026-07-16

·

Atualizado

2026-07-16

CVSS v4.0

9.3

Crítica

VetorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM READ access was sufficient to call fm list managers, fm list pinsets, fm show context, fm get mcp config, fm backup status, fm whos calling, fm run saved query, and fm diagnose trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5 cred, and oauth secret. This issue is fixed in version 1.6.3.

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-46515

Produtos afetados

Frogman