CVE-2019-15059

Name of the Vulnerable Software and Affected Versions Liberty lisPBX versions 2.0 through 2.0-4

Description The issue allows remote retrieval of configuration backup files without requiring authentication or authorization. These files contain sensitive PBX information, including extension numbers, contacts, and passwords, which can be accessed through specific paths, such as /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar.

Recommendations For Liberty lisPBX versions 2.0 through 2.0-4, restrict access to the /backup directory to prevent unauthorized retrieval of configuration backup files. Consider implementing proper authentication and authorization mechanisms for accessing these files.