CVE-2018-6393

Name of the Vulnerable Software and Affected Versions FreePBX versions 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2)

Description The issue allows post-authentication SQL injection via the order parameter. It is noted that the vendor disputes this issue, stating it is intentional for users to be able to directly modify SQL tables or run shell scripts once logged in to the administration interface.

Recommendations For FreePBX version 10.13.66-32bit, consider restricting access to the administration interface to minimize the risk of exploitation. For FreePBX version 14.0.1.24 (SNG7-PBX-64bit-1712-2), consider restricting access to the administration interface to minimize the risk of exploitation. As a temporary workaround, consider disabling the ability to directly modify SQL tables or run shell scripts for non-privileged users until a patch is available.