Sangoma: Security Vulnerabilities
CVE-2019-19006
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
Known exploited
CVSS Score
9.8
EPSS Score
0.358
Published
2019-11-21
asterisk allows calls on prohibited networks
CVSS Score
7.5
EPSS Score
0.012
Published
2019-10-29
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the system (either via the web interface or via SSH) to achieve complete compromise of the device. This affects /var/webconfig/gui/Webconfig.inc.php and /usr/local/sng/bin/sng-user-mgmt.
CVSS Score
9.8
EPSS Score
0.026
Published
2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin web portal without providing any credentials. This affects /var/webconfig/gui/Webconfig.inc.php.
CVSS Score
9.8
EPSS Score
0.035
Published
2019-10-22
An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.
CVSS Score
6.1
EPSS Score
0.013
Published
2019-10-21
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager.
CVSS Score
6.1
EPSS Score
0.011
Published
2019-10-21
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.
CVSS Score
4.8
EPSS Score
0.006
Published
2019-06-20
An issue was discovered in Asterisk Open Source 15.x before 15.4.1. When connected to Asterisk via TCP/TLS, if the client abruptly disconnects, or sends a specially crafted message, then Asterisk gets caught in an infinite loop while trying to read the data stream. This renders the system unusable.
CVSS Score
6.5
EPSS Score
0.068
Published
2018-06-12
FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the vendor disputes this issue because it is intentional that a user can "directly modify SQL tables ... [or] run shell scripts ... once ... logged in to the administration interface; there is no need to try to find input validation errors.
CVSS Score
7.2
EPSS Score
0.022
Published
2018-01-29
Sangoma NetBorder / Vega Session Controller before 2.3.12-80-GA allows remote attackers to execute arbitrary commands via the web interface.
CVSS Score
9.8
EPSS Score
0.018
Published
2017-12-07