CVE-2012-4870

Name of the Vulnerable Software and Affected Versions FreePBX versions 2.9 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to security breaches. This can be achieved through various parameters and endpoints, including the context parameter to "panel/index amp.php" or "panel/dhtml/index.php", the clid or clidname parameters to "panel/flash/mypage.php", the PATH INFO to "admin/views/freepbx reload.php", or the login parameter to "recordings/index.php".

Recommendations For FreePBX versions 2.9 and earlier, update to a version later than 2.9 to resolve the issue. As a temporary workaround, consider restricting access to the specified endpoints and parameters, such as "panel/index amp.php", "panel/dhtml/index.php", "panel/flash/mypage.php", "admin/views/freepbx reload.php", and "recordings/index.php", until a patch is available.