Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application

Vendor: Sangoma TechnologiesVendor URL: https://freepbx.comVersions affected: FreePBX 13, 14, and 15Systems Affected: FreePBX UCP applicationAuthor: Bill MarquetteAdvisory URLs:SEC-2020-06: https://wiki.freepbx.org/display/FOP/2020-08-17+SQL+Injection+In+cel+moduleSEC-2020-07: https://wiki.freepbx.org/display/FOP/2020-08-17+SQL+Injection+In+cdr+moduleRisk: High Summary: The User Control Panel (UCP) application is vulnerable to multiple authenticated SQL Injection vulnerabilities which can result in the compromise of administrative accounts as well as the PBX appliance itself. FreePBX has a … Continue reading Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application