CVE-2024-58294

Name of the Vulnerable Software and Affected Versions FreePBX version 16

Description FreePBX version 16 contains an authenticated remote code execution issue in the API module. An attacker with valid session credentials can execute arbitrary commands. The issue is exploitable through the 'generatedocs' API endpoint by submitting crafted POST requests that inject bash commands, potentially leading to remote shell access. The generatedocs endpoint accepts POST requests with malicious payloads. The vulnerable parameter is not explicitly specified, but the attack involves bash command injection.

Recommendations Apply any available updates or patches for FreePBX version 16. Restrict access to the 'generatedocs' API endpoint. As a temporary workaround, consider disabling the API module until a patch is available.