| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201402112344.s1BNiaib032687@sf01web3.securityfocus.com> Date: Tue, 11 Feb 2014 23:44:36 GMT From: rob.thomas@...moozecom.com To: bugtraq@...urityfocus.com Subject: [CVE-2014-1903] FreePBX 2.9 through 12 RCE Overview: Unauthenticated user-level Remote Code Execution (RCE) vulnerability in admin/config.php, the main interface to FreePBX. This bug was introduced in FreePBX 2.9, earlier versions are not affected. Score - 8.4 (AV:N/AC:L/Au:N/C:P/I:P/A:C/E:H/RL:OF/RC:C/CDP:MH/TD:ND/CR:L/IR:L/AR:M) Reference to Advisory: http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice Reference to Bug: http://issues.freepbx.org/browse/FREEPBX-7123 Fixed in Versions: 2.9 -- 2.9.0.14 2.10 - 2.10.1.15 2.11 - 2.11.0.23 12 - 12.0.1alpha22 Additional Information: FreePBX contains an automatic alert service for upgrade notifications. If your system is set up correctly, you would have received an email alert of this vulnerability when it was detected and fixed. Schmoozecom strongly urges you to ensure that the email alert address is correct and up to date to ensure you receive notifications of security issues and pending updates. Schmoozecom and FreePBX are very proactive and responsive to security issues, and care deeply about the security of our software and systems. We welcome security related bug reports and issues, and they can be submitted via email to security@...epbx.org for instant attention.
Powered by blists - more mailing lists