CVE-2009-4458

Name of the Vulnerable Software and Affected Versions FreePBX versions 2.5.2 through 2.6.0rc2

Description The issue allows remote attackers to inject arbitrary web script or HTML via the tech parameter to "admin/admin/config.php" during a trunks display action, the description parameter during an Add Zap Channel action, and unspecified vectors during an Add Recordings action.

Recommendations For FreePBX versions 2.5.2 through 2.6.0rc2, consider restricting access to the affected admin/config.php endpoint and limiting the use of the tech and description parameters until a fix is available. Avoid using unspecified vectors in the Add Recordings action to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.