CVE-2020-36630

Name of the Vulnerable Software and Affected Versions FreePBX cdr versions 14.0 through 14.0.5.20

Description The issue is related to the ajaxHandler function in the ucp/Cdr.class.php file of the FreePBX web interface, which fails to protect against SQL query structure attacks. This can allow a remote attacker to execute arbitrary SQL commands by manipulating the limit/offset argument, leading to SQL injection.

Recommendations For FreePBX cdr versions 14.0 through 14.0.5.20, upgrade to version 14.0.5.21 to address this issue. As a temporary workaround, consider restricting access to the ajaxHandler function in the ucp/Cdr.class.php file until the upgrade is applied. Avoid using the limit/offset argument in the affected API endpoint until the issue is resolved.