PT-2024-12105 · Sangoma · Sangoma Freepbx
Vasilis Sikkis
·
Published
2024-05-10
·
Updated
2024-07-03
·
CVE-2023-26566
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
Sangoma FreePBX versions 1805 through 2203
Description
The issue concerns hardcoded credentials for the Asterisk REST Interface (ARI) in Sangoma FreePBX, allowing remote attackers to reconfigure Asterisk and make external and internal calls via HTTP and WebSocket requests sent to the API.
Recommendations
For versions 1805 through 2203, update the system to remove the hardcoded credentials for the Asterisk REST Interface (ARI) to prevent unauthorized access. As a temporary workaround, consider restricting access to the Asterisk REST Interface (ARI) until a patch is available.
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sangoma Freepbx