CVE-2021-45461

EUVD-2021-32227
FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
Affected Products (NVD)
VendorProductVersion
sangomarestapps
15.0.19.87
sangomarestapps
15.0.19.88
sangomarestapps
16.0.18.40
sangomarestapps
16.0.18.41
𝑥
= Vulnerable software versions
References
https://community.freepbx.org/t/0-day-freepbx-exploit/80092
https://community.freepbx.org/t/security-issue-potential-rest-phone-apps-rce/80109
https://wiki.freepbx.org/display/FOP/2021-12-21+SECURITY%3A+Potential+Rest+Phone+Apps+RCE
https://community.freepbx.org/t/0-day-freepbx-exploit/80092
https://community.freepbx.org/t/security-issue-potential-rest-phone-apps-rce/80109
https://wiki.freepbx.org/display/FOP/2021-12-21+SECURITY%3A+Potential+Rest+Phone+Apps+RCE