PT-2021-9166 · Sangoma · Sangoma Freepbx+1
Published
2021-05-31
·
Updated
2022-07-12
·
CVE-2020-10666
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Sangoma FreePBX and PBXact versions 13 through 15.0.19.2
Description
The issue allows remote code execution via a URL variable to an AMI command. This is related to the restapps module, also known as Rest Phone apps.
Recommendations
For versions 13 through 15.0.19.2, consider restricting access to the restapps module to minimize the risk of exploitation.
As a temporary workaround, avoid using URL variables that could lead to AMI commands until a patch is available.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pbxact
Sangoma Freepbx