CVE-2014-7235

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-7235
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.

10.0 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536
http://packetstormsecurity.com/files/128516/FreePBX-Authentication-Bypass-Account-Creation.html
http://secunia.com/advisories/61601
http://www.securityfocus.com/bid/70188
https://exchange.xforce.ibmcloud.com/vulnerabilities/96790
https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836
https://www.exploit-db.com/exploits/41005/
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:freepbx:freepbx:2.10.0.0:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.10.0.1:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.10.0.2:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.10.0.3:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.10.0.4:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.10.0.5:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.10.0.6:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.10.0.7:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.10.0.8:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.10.0.9:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.10.0.10:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.11.1.0:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.11.1.1:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.11.1.2:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.11.1.3:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.11.1.4:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:freepbx:2.11.0.0:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:freepbx:2.11.0.1:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:freepbx:2.11.0.2:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:freepbx:2.11.0.3:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:freepbx:2.11.0.4:*:*:*:*:*:*:*
History

No history.

Information

Published : 2014-10-07 14:55

Updated : 2023-12-10 11:31

NVD link : CVE-2014-7235

Mitre link : CVE-2014-7235

CVE.ORG link : CVE-2014-7235

JSON object : View

Products Affected

sangoma

  • freepbx

freepbx

  • freepbx
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')