Mcorybillington

**Name of the Vulnerable Software and Affected Versions** FreePBX tts module versions prior to 16.0.5 FreePBX tts module versions prior to 17.0.5 **Description** The Text to Speech (tts) module for FreePBX, a web-based graphical user interface for Asterisk, contains a SQL injection flaw. Authenticated users with administrator access can exploit this issue to extract sensitive information from the database. Successful exploitation allows for code execution on the system as the `asterisk` user, potentially leading to `root` privileges through privilege escalation. The vulnerable area is accessible through the Administrator Control Panel (ACP). **Recommendations** Upgrade to FreePBX tts module version 16.0.5 or later. Upgrade to FreePBX tts module version 17.0.5 or later.