Vulnerability Description
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Freepbx | Freepbx | 2.10.0.0 |
| Sangoma | Freepbx | <= 2.9.0.8 |
Related Weaknesses (CWE)
References
- http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-c
- http://packetstormsecurity.com/files/128516/FreePBX-Authentication-Bypass-Accoun
- http://secunia.com/advisories/61601
- http://www.securityfocus.com/bid/70188
- https://exchange.xforce.ibmcloud.com/vulnerabilities/96790
- https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d83
- https://www.exploit-db.com/exploits/41005/
- http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-c
- http://packetstormsecurity.com/files/128516/FreePBX-Authentication-Bypass-Accoun
- http://secunia.com/advisories/61601
- http://www.securityfocus.com/bid/70188
- https://exchange.xforce.ibmcloud.com/vulnerabilities/96790
- https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d83
- https://www.exploit-db.com/exploits/41005/
FAQ
What is CVE-2014-7235?
CVE-2014-7235 is a vulnerability with a CVSS score of 10.0 (HIGH). htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary co...
How severe is CVE-2014-7235?
CVE-2014-7235 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-7235?
Check the references section above for vendor advisories and patch information. Affected products include: Freepbx Freepbx, Sangoma Freepbx.