CVE-2007-2191

Name of the Vulnerable Software and Affected Versions freePBX versions 2.2.x

Description The issue allows remote attackers to inject arbitrary web script or HTML via certain SIP protocol fields, including the From, To, Call-ID, and User-Agent fields. These fields are stored in /var/log/asterisk/full and displayed by admin/modules/logfiles/asterisk-full-log.php.

Recommendations For freePBX version 2.2.x, consider restricting access to the asterisk-full-log.php file until a patch is available. As a temporary workaround, avoid using the From, To, Call-ID, and User-Agent fields in the SIP protocol to minimize the risk of exploitation.