AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-94

disputed

A serious vulnerability was discovered in FreePBX 17.0.19.17. FreePBX does not verify the type of uploaded files and does not restrict user access paths, allowing attackers to remotely control the FreePBX server by uploading malicious files with malicious content and accessing the default directory where the files are uploaded. This will result in particularly serious consequences.

A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do.

disputed

A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do.

A serious vulnerability was discovered in FreePBX 17.0.19.17. FreePBX does not verify the type of uploaded files and does not restrict user access paths, allowing attackers to remotely control the FreePBX server by uploading malicious files with malicious content and accessing the default directory where the files are uploaded. This will result in particularly serious consequences.

disputed

A serious vulnerability was discovered in FreePBX 17.0.19.17. FreePBX does not verify the type of uploaded files and does not restrict user access paths, allowing attackers to remotely control the FreePBX server by uploading malicious files with malicious content and accessing the default directory where the files are uploaded. This will result in particularly serious consequences.

A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do.

AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

CWE-434

An authenticated arbitrary file upload vulnerability in the component /module_admin/upload.php of freepbx v17.0.19.17 allows attackers to execute arbitrary code via uploading a crafted file.

A serious vulnerability was discovered in FreePBX 17.0.19.17. FreePBX does not verify the type of uploaded files and does not restrict user access paths, allowing attackers to remotely control the FreePBX server by uploading malicious files with malicious content and accessing the default directory where the files are uploaded. This will result in particularly serious consequences.

https://gist.github.com/hyp164D1/d419bdf3e7e352088a21631d0f452a8c

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-94

An authenticated arbitrary file upload vulnerability in the component /module_admin/upload.php of freepbx v17.0.19.17 allows attackers to execute arbitrary code via uploading a crafted file.

https://gist.github.com/hyp164D1/490732de230edf97423f6d95b0d2f903