Multiple vulnerabilities in FusionPBX



Published: 2019-10-23 | Updated: 2019-10-25
Severity Medium
Patch available YES
Number of vulnerabilities 31
CVE ID CVE-2019-16989
CVE-2019-16988
CVE-2019-16987
CVE-2019-16986
CVE-2019-16985
CVE-2019-16984
CVE-2019-16983
CVE-2019-16982
CVE-2019-16976
CVE-2019-16975
CVE-2019-16977
CVE-2019-16981
CVE-2019-16965
CVE-2019-16964
CVE-2019-16970
CVE-2019-16968
CVE-2019-16974
CVE-2019-16969
CVE-2019-16973
CVE-2019-16972
CVE-2019-16971
CVE-2019-16991
CVE-2019-16990
CVE-2019-11410
CVE-2019-11409
CVE-2019-11408
CVE-2019-11407
CVE-2019-15029
CVE-2019-16980
CVE-2019-16979
CVE-2019-16978
CWE ID CWE-79
CWE-284
CWE-77
CWE-200
CWE-89
Exploitation vector Network
Public exploit Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #25 is available.
Vulnerable software
Subscribe
FusionPBX
Server applications / SCADA systems

Vendor FusionPBX

Security Advisory

Updated 24.10.2019
Added vulnerabilities #22,23
Updated 25.10.2019
Added vulnerabilities #24-31

1) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16989

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "c" variable to app\conferences_active\conference_interactive.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/83123e314a2e4c2dd0815446f89bcad97278d98d
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-19/
https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=e7d9acc9-d629-4f7c-adef-dd95344fdb9f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16988

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "eavesdrop_dest" variable to app\basic_operator_panel\resources\content.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/7fec1014ff0d08e36be6a3f7664edb3a9df7b4ac
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-18/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16987

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "query_string" variable to app\contacts\contact_import.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/ccdb27536d3549b5c0c317e3665fff231631ec77
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-17/
https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=6435167c-0960-47ea-a8c9-b3f46611b25d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper access control

Severity: Medium

CVSSv3: 6.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16986

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the application allows an attacker to download arbitrary file from the system passed via the "f" HTTP parameter to "/resources/download.php" or "/resources/secure_download.php" scripts. A remote authenticated user can pass a full filename to the application and download arbitrary file from the server using directory traversal sequences.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/9482d9ee0e4287df21339be4276125e38e048951
https://github.com/fusionpbx/fusionpbx/commit/9c61191049c949e01f99ea1fbab1feb44709e108
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-path-traversal-2/
https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=2e4784b2-721e-4a15-8bef-962a3936aee1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Improper access control

Severity: Medium

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16985

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in app\xml_cdr\xml_cdr_delete.php when processing base64-encoded file names. A remote authenticated user can pass a base64-encoded filename to the application and permanently delete arbitrary file on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/284b0a91968f126fd6be0a486a84e065926905ca
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-path-traversal-1/
https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=bee80ee5-8c44-4c13-9ebb-3424177aa8db

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16984

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "filename" variable to the app\recordings\recording_play.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/11f2dd2254dbeb1c41bf19b8c38e8fa9bc948efb
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-16/
https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=4b6e3286-4813-4ae6-8637-b6b57fd5205b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16983

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "param"  HTTP parameter to resources\paging.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/23581e56e9a4d1685ddf1c7d67137417d654e134
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-15/
https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=2a1baae1-b906-4577-a10b-b1734f9fe4b2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16982

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "id" variable to app\access_controls\access_control_nodes.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/c9f87dc16def2135930ebbfd667651cc3f6de2ff
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-14/
https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=af41abf3-8f92-41b6-973a-89ef8cd14be5

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16976

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the URL to app\destinations\destination_imports.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/d6ea02d896b2c57dec491ee3b36ec102639270be
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-9/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16975

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "id" parameter to app\contacts\contact_notes.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/80f2ce087ab1343f1ff3bf8a058eed9b5027eb8c
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-8/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16977

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data pased via URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update your software from Git repository.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/fc8e4e2d278ce6bffff21b04248d469a59eb8cd4
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-10/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Reflected cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16981

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the "app\conference_profiles\conference_profile_params.php " file uses an unsanitized "id" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 10/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/021ff8f8e51cd1254d19e88e7aedc4b795067f8d
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-13/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Command Injection

Severity: Medium

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16965

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to a lack of input validation in the "resources/cmd.php" file. A remote authenticated administrator can execute arbitrary commands on the host as www-data.

Mitigation

Install updates released on 15/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/6baad9af1bc55c80b793af3bd1ac35b39c20b173
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-sofia-api-command-injection-2/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Command Injection

Severity: Medium

CVSSv3: 7.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16964

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to a lack of input validation in the "app/call_centers/cmd.php" file. A remote authenticated attacker (with at least permissions call_center_queue_add or call_center_queue_edit) can execute arbitrary commands on the host as www-data.


Mitigation

Install updates released on 15/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/2f9e591a4034c3aea70185dcab837946096449bf
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-sofia-api-command-injection-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Reflected cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16970

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the "app\sip_status\sip_status.php" file uses an unsanitized "savemsg" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 21/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/a55f1cd5d8edd655058152e9acf212680d5b75f3
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-3/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Reflected cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16968

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the "app\conference_controls\conference_control_details.php" file uses an unsanitized "id" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 08/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/02378c54722d89f875c66ddb00ff06468dabbc6d
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Reflected cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16974

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the "app\contacts\contact_times.php" file uses an unsanitized "id" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 13/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/bcc75d63aa5b721f699a2b416425943ad7707825
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-7/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Reflected cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16969

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the "app\fifo_list\fifo_interactive.php" file uses an unsanitized "c" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 21/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/d3679bbeface57a21f6623cbc193b04a7fc0a885
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-2/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Reflected cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16973

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the "app\contacts\contact_edit.php" file uses an unsanitized "query_string" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 13/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/cc820b2eb12a3b7070afdcb7f977f70a1d49ce49
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-6/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Reflected cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16972

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the "app\contacts\contact_addresses.php" file uses an unsanitized "id" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 13/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/913ad234cf145a55e5f2faaab08d776d83c1699b
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-5/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Reflected cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16971

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the "app\messages\messages_thread.php" file uses an unsanitized "contact_uuid" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 21/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/c48a160af53352ad1a43518b7d0faab16b8dfbcc
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-4/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16991

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "file" variable to app\edit\filedelete.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 10/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/cd4632b46c62855f7e1c1c93d20ffd64edcb476e
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-20/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Improper access control

Severity: Medium

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16990

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in app/music_on_hold/music_on_hold.php file when processing base64-encoded file names. A remote authenticated user can pass a base64-encoded filename to the application and download any pathname on the system.

Mitigation

Install updates released on 15/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/95ed18aa9d781f232f5686a9027bb6f677c9b8da
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-path-traversal-3/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Command Injection

Severity: Medium

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-11410

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to a lack of input validation in the "app/backup/index.php" file in the Backup Module. A remote authenticated administrator can upload a file with a specially crafted filename and execute arbitrary commands on the host.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.html
https://github.com/fusionpbx/fusionpbx/commit/0f965c89288de449236ad6de4f97960814ce8c84

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Command Injection

Severity: High

CVSSv3: 7.9 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-11409

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to a lack of input validation in the "exec.php" component in the Operator Panel module. A remote authenticated attacker can execute arbitrary commands on the host.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.html
https://github.com/fusionpbx/fusionpbx/commit/e43ca27ba2d9c0109a6bf198fe2f8d79f63e0611

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

26) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-11408

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "app/operator_panel/index_inc.php" file in the Operator Panel module. A remote attacker can initiate a call from outside of the network with a specially crafted caller ID number, trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.html
https://github.com/fusionpbx/fusionpbx/commit/391a23d070f3036d0c7760992f6970b0a76ee4d7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Information disclosure

Severity: Medium

CVSSv3: 4.3 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-11407

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists in the "app/operator_panel/index_inc.php" file in the Operator Panel due to the debug parameter dumps the contents of several arrays, most notably the $_SESSION array. A remote authenticated administrator can gain unauthorized access to sensitive information on the system, such as the password for the FreeSWITCH event socket interface.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.html
https://github.com/fusionpbx/fusionpbx/commit/f38676b7b63bb1ec3a68d577fe23e6701f482aef

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Command Injection

Severity: Medium

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-15029

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to a lack of input validation in the "service_edit.php" file. A remote authenticated attacker can call the "services.php" file via a GET request with the service id followed by the parameter "a=start" and execute the stored command.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://drive.google.com/file/d/1bt08NSUaxu87LJJGdNd7LpvZ2uGauRK8/view?usp=sharing
https://gist.github.com/mhaskar/7a6a804cd68c7fec4f9d1f5c3507900f
https://shells.systems/fusionpbx-v4-4-8-authenticated-remote-code-execution-cve-2019-15029/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) SQL injection

Severity: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16980

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "id" variable to app\call_broadcast\call_broadcast_edit.php script. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install updates released on 06/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/6fe372b3d4bb7ff07778d152886edcecc045c7ec
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-sqli-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16979

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "id" variable to app\contacts\contact_urls.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 13/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/a76d9637e31a70060ecc38786246a8b1c9178322
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-12/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Cross-site scripting

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16978

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "id" variable to app\devices\device_settings.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates released on 13/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

CPE External links

https://github.com/fusionpbx/fusionpbx/commit/83622c4ee1d9dd1913e9fb01ce8f060b46a5768a
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-11/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.