Command Injection in FusionPBX

#VU22195 Command Injection in FusionPBX

Published: 2019-10-23

Vulnerability identifier: #VU22195

Vulnerability risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16965

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FusionPBX
Server applications / SCADA systems

Vendor: FusionPBX

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to a lack of input validation in the "resources/cmd.php" file. A remote authenticated administrator can execute arbitrary commands on the host as www-data.

Mitigation
Install updates released on 15/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

External links
http://github.com/fusionpbx/fusionpbx/commit/6baad9af1bc55c80b793af3bd1ac35b39c20b173
http://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-sofia-api-command-injection-2/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in FusionPBX