Improper access control in FusionPBX

#VU22254 Improper access control in FusionPBX

Published: 2019-10-24

Vulnerability identifier: #VU22254

Vulnerability risk: Medium

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16990

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FusionPBX
Server applications / SCADA systems

Vendor: FusionPBX

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in app/music_on_hold/music_on_hold.php file when processing base64-encoded file names. A remote authenticated user can pass a base64-encoded filename to the application and download any pathname on the system.

Mitigation
Install updates released on 15/08/2019 on 4.4 and Master branches.

Vulnerable software versions

FusionPBX: Master

External links
http://github.com/fusionpbx/fusionpbx/commit/95ed18aa9d781f232f5686a9027bb6f677c9b8da
http://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-path-traversal-3/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in FusionPBX