CVE-2024-53564

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-53564
A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do.

2.2 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://gist.github.com/hyp164D1/490732de230edf97423f6d95b0d2f903
https://gist.github.com/hyp164D1/d419bdf3e7e352088a21631d0f452a8c
Configurations

No configuration.

History

09 Jan 2025, 17:15

Type Values Removed Values Added
CWE CWE-94

09 Jan 2025, 01:15

Type Values Removed Values Added
Summary (en) A serious vulnerability was discovered in FreePBX 17.0.19.17. FreePBX does not verify the type of uploaded files and does not restrict user access paths, allowing attackers to remotely control the FreePBX server by uploading malicious files with malicious content and accessing the default directory where the files are uploaded. This will result in particularly serious consequences. (en) A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do.

09 Jan 2025, 00:15

Type Values Removed Values Added
Summary (en) A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do. (en) A serious vulnerability was discovered in FreePBX 17.0.19.17. FreePBX does not verify the type of uploaded files and does not restrict user access paths, allowing attackers to remotely control the FreePBX server by uploading malicious files with malicious content and accessing the default directory where the files are uploaded. This will result in particularly serious consequences.

08 Jan 2025, 19:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : 2.2
Summary (en) A serious vulnerability was discovered in FreePBX 17.0.19.17. FreePBX does not verify the type of uploaded files and does not restrict user access paths, allowing attackers to remotely control the FreePBX server by uploading malicious files with malicious content and accessing the default directory where the files are uploaded. This will result in particularly serious consequences. (en) A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do.
CWE CWE-434

03 Dec 2024, 21:15

Type Values Removed Values Added
Summary (en) An authenticated arbitrary file upload vulnerability in the component /module_admin/upload.php of freepbx v17.0.19.17 allows attackers to execute arbitrary code via uploading a crafted file. (en) A serious vulnerability was discovered in FreePBX 17.0.19.17. FreePBX does not verify the type of uploaded files and does not restrict user access paths, allowing attackers to remotely control the FreePBX server by uploading malicious files with malicious content and accessing the default directory where the files are uploaded. This will result in particularly serious consequences.

03 Dec 2024, 19:15

Type Values Removed Values Added
References
  • () https://gist.github.com/hyp164D1/d419bdf3e7e352088a21631d0f452a8c -

03 Dec 2024, 15:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
CWE CWE-94
Summary
  • (es) Una vulnerabilidad de carga de archivos arbitrarios autenticados en el componente /module_admin/upload.php de freepbx v17.0.19.17 permite a los atacantes ejecutar código arbitrario mediante la carga de un archivo manipulado específicamente.

02 Dec 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-12-02 18:15

Updated : 2025-01-09 17:15

NVD link : CVE-2024-53564

Mitre link : CVE-2024-53564

CVE.ORG link : CVE-2024-53564

JSON object : View

Products Affected

No product.

CWE
CWE-434

Unrestricted Upload of File with Dangerous Type