CVE-2014-1903
First published: Tue Feb 18 2014(Updated: )
admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreePBX | =2.10 | |
| FreePBX | =2.11 | |
| FreePBX | =2.12 | |
| FreePBX | =2.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0097.html
- http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0111.html
- http://code.freepbx.org/changelog/FreePBX_Framework?cs=a29382efeb293ef4f42aa9b841dfc8eabb2d1e03
- http://code.freepbx.org/changelog/FreePBX_SVN?cs=16429
- http://issues.freepbx.org/browse/FREEPBX-7117
- http://issues.freepbx.org/browse/FREEPBX-7123
- http://osvdb.org/103240
- http://packetstormsecurity.com/files/125166/FreePBX-2.x-Code-Execution.html
- http://packetstormsecurity.com/files/125215/FreePBX-2.9-Remote-Code-Execution.html
- http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice
- http://www.securityfocus.com/archive/1/531040/100/0/threaded
- https://github.com/0x00string/oldays/blob/master/CVE-2014-1903.pl
Frequently Asked Questions
What is the severity of CVE-2014-1903?
CVE-2014-1903 has a high severity due to its potential for remote code execution.
How do I fix CVE-2014-1903?
To fix CVE-2014-1903, update FreePBX to version 2.9.0.14, 2.10.1.15, 2.11.0.23, or later.
What software versions are affected by CVE-2014-1903?
CVE-2014-1903 affects FreePBX versions 2.9, 2.10, 2.11, and 2.12 prior to their respective patch releases.
What is the nature of the vulnerability in CVE-2014-1903?
CVE-2014-1903 allows remote attackers to execute arbitrary PHP code due to insufficient restrictions on accessible functions.
Can CVE-2014-1903 be exploited without authentication?
Yes, CVE-2014-1903 can be exploited by unauthenticated remote attackers.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/freepbx
- canonical/freepbx
- version/freepbx/2.10
- version/freepbx/2.11
- version/freepbx/2.12
- vendor/sangoma
- version/freepbx/2.9