CVE-2015-2690

Name of the Vulnerable Software and Affected Versions FreePBX Digium Addons module (digiumaddoninstaller) versions prior to 2.11.0.7

Description The issue allows remote attackers to inject arbitrary web script or HTML via multiple parameters in an add-license-form page. The vulnerable parameters include add license key, add license first name, add license last name, add license company, add license address1, add license address2, add license city, add license state, add license post code, add license country, add license phone, and add license email in the "add-license-form" page to "admin/config.php".

Recommendations For versions prior to 2.11.0.7, update to version 2.11.0.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "add-license-form" page in "admin/config.php" to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected page until the issue is resolved.