Vulnerabilities > Sangoma

DATE CVE VULNERABILITY TITLE RISK
2018-01-29 CVE-2018-6393 SQL Injection vulnerability in Sangoma Freepbx 10.13.66/14.0.1.24
FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter.
network
low complexity
sangoma CWE-89
7.2
2017-12-07 CVE-2017-17430 Improper Authentication vulnerability in Sangoma Netborder/Vega Session Firmware 2.3.1178Ga
Sangoma NetBorder / Vega Session Controller before 2.3.12-80-GA allows remote attackers to execute arbitrary commands via the web interface.
network
low complexity
sangoma CWE-287
7.5
2014-10-07 CVE-2014-7235 Code Injection vulnerability in multiple products
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.
network
low complexity
freepbx sangoma CWE-94
critical
10.0
2014-02-18 CVE-2014-1903 Permissions, Privileges, and Access Controls vulnerability in multiple products
admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.
network
low complexity
freepbx sangoma CWE-264
7.5
2012-09-06 CVE-2012-4870 Cross-Site Scripting vulnerability in Sangoma Freepbx
Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) context parameter to panel/index_amp.php or (2) panel/dhtml/index.php; (3) clid or (4) clidname parameters to panel/flash/mypage.php; (5) PATH_INFO to admin/views/freepbx_reload.php; or (6) login parameter to recordings/index.php.
network
sangoma CWE-79
4.3
2012-09-06 CVE-2012-4869 Code Injection vulnerability in Sangoma Freepbx
The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.
network
low complexity
sangoma CWE-94
7.5
2010-09-28 CVE-2010-3490 Path Traversal vulnerability in Sangoma Freepbx
Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a ..
network
low complexity
sangoma CWE-22
6.5
2009-05-28 CVE-2009-1803 Information Exposure vulnerability in multiple products
FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error messages for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.
network
low complexity
freepbx sangoma CWE-200
5.0
2009-05-28 CVE-2009-1802 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to hijack the authentication of admins for requests that create a new admin account or have unspecified other impact.
6.8
2009-05-28 CVE-2009-1801 Cross-Site Scripting vulnerability in multiple products
Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to inject arbitrary web script or HTML via the (1) display parameter to reports.php, the (2) order and (3) extdisplay parameters to config.php, and the (4) sort parameter to recordings/index.php.
4.3