SB2019102315 - Multiple vulnerabilities in FusionPBX
Published: October 23, 2019 Updated: October 25, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 31 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2019-16989)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "c" variable to app\conferences_active\conference_interactive.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site scripting (CVE-ID: CVE-2019-16988)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "eavesdrop_dest" variable to app\basic_operator_panel\resources\content.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site scripting (CVE-ID: CVE-2019-16987)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "query_string" variable to app\contacts\contact_import.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Improper access control (CVE-ID: CVE-2019-16986)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the application allows an attacker to download arbitrary file from the system passed via the "f" HTTP parameter to "/resources/download.php" or "/resources/secure_download.php" scripts. A remote authenticated user can pass a full filename to the application and download arbitrary file from the server using directory traversal sequences.
5) Improper access control (CVE-ID: CVE-2019-16985)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in app\xml_cdr\xml_cdr_delete.php when processing base64-encoded file names. A remote authenticated user can pass a base64-encoded filename to the application and permanently delete arbitrary file on the system.
6) Cross-site scripting (CVE-ID: CVE-2019-16984)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "filename" variable to the app\recordings\recording_play.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Cross-site scripting (CVE-ID: CVE-2019-16983)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "param" HTTP parameter to resources\paging.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
8) Cross-site scripting (CVE-ID: CVE-2019-16982)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "id" variable to app\access_controls\access_control_nodes.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
9) Cross-site scripting (CVE-ID: CVE-2019-16976)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the URL to app\destinations\destination_imports.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
10) Cross-site scripting (CVE-ID: CVE-2019-16975)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "id" parameter to app\contacts\contact_notes.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
11) Cross-site scripting (CVE-ID: CVE-2019-16977)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data pased via URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
12) Reflected cross-site scripting (CVE-ID: CVE-2019-16981)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the "app\conference_profiles\conference_profile_params.php " file uses an unsanitized "id" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
13) Command Injection (CVE-ID: CVE-2019-16965)
The vulnerability exists due to a lack of input validation in the "resources/cmd.php" file. A remote authenticated administrator can execute arbitrary commands on the host as www-data.
14) Command Injection (CVE-ID: CVE-2019-16964)
15) Reflected cross-site scripting (CVE-ID: CVE-2019-16970)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the "app\sip_status\sip_status.php" file uses an unsanitized "savemsg" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
16) Reflected cross-site scripting (CVE-ID: CVE-2019-16968)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the "app\conference_controls\conference_control_details.php" file uses an unsanitized "id" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
17) Reflected cross-site scripting (CVE-ID: CVE-2019-16974)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the "app\contacts\contact_times.php" file uses an unsanitized "id" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
18) Reflected cross-site scripting (CVE-ID: CVE-2019-16969)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the "app\fifo_list\fifo_interactive.php" file uses an unsanitized "c" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
19) Reflected cross-site scripting (CVE-ID: CVE-2019-16973)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the "app\contacts\contact_edit.php" file uses an unsanitized "query_string" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
20) Reflected cross-site scripting (CVE-ID: CVE-2019-16972)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the "app\contacts\contact_addresses.php" file uses an unsanitized "id" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
21) Reflected cross-site scripting (CVE-ID: CVE-2019-16971)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the "app\messages\messages_thread.php" file uses an unsanitized "contact_uuid" variable coming from the URL. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
22) Cross-site scripting (CVE-ID: CVE-2019-16991)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "file" variable to app\edit\filedelete.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
23) Improper access control (CVE-ID: CVE-2019-16990)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in app/music_on_hold/music_on_hold.php file when processing base64-encoded file names. A remote authenticated user can pass a base64-encoded filename to the application and download any pathname on the system.
24) Command Injection (CVE-ID: CVE-2019-11410)
25) Command Injection (CVE-ID: CVE-2019-11409)
26) Cross-site scripting (CVE-ID: CVE-2019-11408)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "app/operator_panel/index_inc.php" file in the Operator Panel module. A remote attacker can initiate a call from outside of the network with a specially crafted caller ID number, trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
27) Information disclosure (CVE-ID: CVE-2019-11407)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists in the "app/operator_panel/index_inc.php" file in the Operator Panel due to the debug parameter dumps the contents of several arrays, most notably the $_SESSION array. A remote authenticated administrator can gain unauthorized access to sensitive information on the system, such as the password for the FreeSWITCH event socket interface.
28) Command Injection (CVE-ID: CVE-2019-15029)
29) SQL injection (CVE-ID: CVE-2019-16980)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "id" variable to app\call_broadcast\call_broadcast_edit.php script. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
30) Cross-site scripting (CVE-ID: CVE-2019-16979)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "id" variable to app\contacts\contact_urls.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
31) Cross-site scripting (CVE-ID: CVE-2019-16978)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via an unsanitized "id" variable to app\devices\device_settings.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://github.com/fusionpbx/fusionpbx/commit/83123e314a2e4c2dd0815446f89bcad97278d98d
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-19/
- https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=e7d9acc9-d629-4f7c-adef-dd95344fdb9f
- https://github.com/fusionpbx/fusionpbx/commit/7fec1014ff0d08e36be6a3f7664edb3a9df7b4ac
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-18/
- https://github.com/fusionpbx/fusionpbx/commit/ccdb27536d3549b5c0c317e3665fff231631ec77
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-17/
- https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=6435167c-0960-47ea-a8c9-b3f46611b25d
- https://github.com/fusionpbx/fusionpbx/commit/9482d9ee0e4287df21339be4276125e38e048951
- https://github.com/fusionpbx/fusionpbx/commit/9c61191049c949e01f99ea1fbab1feb44709e108
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-path-traversal-2/
- https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=2e4784b2-721e-4a15-8bef-962a3936aee1
- https://github.com/fusionpbx/fusionpbx/commit/284b0a91968f126fd6be0a486a84e065926905ca
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-path-traversal-1/
- https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=bee80ee5-8c44-4c13-9ebb-3424177aa8db
- https://github.com/fusionpbx/fusionpbx/commit/11f2dd2254dbeb1c41bf19b8c38e8fa9bc948efb
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-16/
- https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=4b6e3286-4813-4ae6-8637-b6b57fd5205b
- https://github.com/fusionpbx/fusionpbx/commit/23581e56e9a4d1685ddf1c7d67137417d654e134
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-15/
- https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=2a1baae1-b906-4577-a10b-b1734f9fe4b2
- https://github.com/fusionpbx/fusionpbx/commit/c9f87dc16def2135930ebbfd667651cc3f6de2ff
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-14/
- https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=af41abf3-8f92-41b6-973a-89ef8cd14be5
- https://github.com/fusionpbx/fusionpbx/commit/d6ea02d896b2c57dec491ee3b36ec102639270be
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-9/
- https://github.com/fusionpbx/fusionpbx/commit/80f2ce087ab1343f1ff3bf8a058eed9b5027eb8c
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-8/
- https://github.com/fusionpbx/fusionpbx/commit/fc8e4e2d278ce6bffff21b04248d469a59eb8cd4
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-10/
- https://github.com/fusionpbx/fusionpbx/commit/021ff8f8e51cd1254d19e88e7aedc4b795067f8d
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-13/
- https://github.com/fusionpbx/fusionpbx/commit/6baad9af1bc55c80b793af3bd1ac35b39c20b173
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-sofia-api-command-injection-2/
- https://github.com/fusionpbx/fusionpbx/commit/2f9e591a4034c3aea70185dcab837946096449bf
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-sofia-api-command-injection-1/
- https://github.com/fusionpbx/fusionpbx/commit/a55f1cd5d8edd655058152e9acf212680d5b75f3
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-3/
- https://github.com/fusionpbx/fusionpbx/commit/02378c54722d89f875c66ddb00ff06468dabbc6d
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-1/
- https://github.com/fusionpbx/fusionpbx/commit/bcc75d63aa5b721f699a2b416425943ad7707825
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-7/
- https://github.com/fusionpbx/fusionpbx/commit/d3679bbeface57a21f6623cbc193b04a7fc0a885
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-2/
- https://github.com/fusionpbx/fusionpbx/commit/cc820b2eb12a3b7070afdcb7f977f70a1d49ce49
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-6/
- https://github.com/fusionpbx/fusionpbx/commit/913ad234cf145a55e5f2faaab08d776d83c1699b
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-5/
- https://github.com/fusionpbx/fusionpbx/commit/c48a160af53352ad1a43518b7d0faab16b8dfbcc
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-4/
- https://github.com/fusionpbx/fusionpbx/commit/cd4632b46c62855f7e1c1c93d20ffd64edcb476e
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-20/
- https://github.com/fusionpbx/fusionpbx/commit/95ed18aa9d781f232f5686a9027bb6f677c9b8da
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-path-traversal-3/
- https://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.html
- https://github.com/fusionpbx/fusionpbx/commit/0f965c89288de449236ad6de4f97960814ce8c84
- https://github.com/fusionpbx/fusionpbx/commit/e43ca27ba2d9c0109a6bf198fe2f8d79f63e0611
- https://github.com/fusionpbx/fusionpbx/commit/391a23d070f3036d0c7760992f6970b0a76ee4d7
- https://github.com/fusionpbx/fusionpbx/commit/f38676b7b63bb1ec3a68d577fe23e6701f482aef
- https://drive.google.com/file/d/1bt08NSUaxu87LJJGdNd7LpvZ2uGauRK8/view?usp=sharing
- https://gist.github.com/mhaskar/7a6a804cd68c7fec4f9d1f5c3507900f
- https://shells.systems/fusionpbx-v4-4-8-authenticated-remote-code-execution-cve-2019-15029/
- https://github.com/fusionpbx/fusionpbx/commit/6fe372b3d4bb7ff07778d152886edcecc045c7ec
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-sqli-1/
- https://github.com/fusionpbx/fusionpbx/commit/a76d9637e31a70060ecc38786246a8b1c9178322
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-12/
- https://github.com/fusionpbx/fusionpbx/commit/83622c4ee1d9dd1913e9fb01ce8f060b46a5768a
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-11/