FreeBPX voicemail prior 14.0.6.25 Settings views/ssettings.php key cross site scripting

A vulnerability was found in FreeBPX voicemail. It has been rated as problematic. Affected by this issue is some unknown functionality of the file views/ssettings.php of the component Settings Handler. The manipulation of the argument key leads to cross site scripting. Using CWE to declare the problem leads to CWE-79. The weakness was disclosed 12/27/2022 as ffce4882016076acd16fe0f676246905aa3cb2f3. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2021-4283. The attack may be launched remotely. Technical details are available. There is no exploit available. The current price for an exploit might be approx. USD $0-$5k at the moment. The MITRE ATT&CK project declares the attack technique as T1059.007. It is declared as not defined. As 0-day the estimated underground price was around $0-$5k. Upgrading to version 14.0.6.25 is able to address this issue. The updated version is ready for download at github.com. The name of the patch is ffce4882016076acd16fe0f676246905aa3cb2f3. The bugfix is ready for download at github.com. It is recommended to upgrade the affected component. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

Field12/27/2022 10:5101/24/2023 20:2501/24/2023 20:32
vendorFreeBPXFreeBPXFreeBPX
namevoicemailvoicemailvoicemail
componentSettings HandlerSettings HandlerSettings Handler
fileviews/ssettings.phpviews/ssettings.phpviews/ssettings.php
argumentkeykeykey
cwe79 (cross site scripting)79 (cross site scripting)79 (cross site scripting)
risk111
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prHHH
cvss3_vuldb_uiRRR
cvss3_vuldb_sUUU
cvss3_vuldb_cNNN
cvss3_vuldb_iLLL
cvss3_vuldb_aNNN
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
identifierffce4882016076acd16fe0f676246905aa3cb2f3ffce4882016076acd16fe0f676246905aa3cb2f3ffce4882016076acd16fe0f676246905aa3cb2f3
urlhttps://github.com/FreePBX/voicemail/commit/ffce4882016076acd16fe0f676246905aa3cb2f3https://github.com/FreePBX/voicemail/commit/ffce4882016076acd16fe0f676246905aa3cb2f3https://github.com/FreePBX/voicemail/commit/ffce4882016076acd16fe0f676246905aa3cb2f3
nameUpgradeUpgradeUpgrade
upgrade_version14.0.6.2514.0.6.2514.0.6.25
upgrade_urlhttps://github.com/FreePBX/voicemail/releases/tag/release%2F14.0.6.25https://github.com/FreePBX/voicemail/releases/tag/release%2F14.0.6.25https://github.com/FreePBX/voicemail/releases/tag/release%2F14.0.6.25
patch_nameffce4882016076acd16fe0f676246905aa3cb2f3ffce4882016076acd16fe0f676246905aa3cb2f3ffce4882016076acd16fe0f676246905aa3cb2f3
patch_urlhttps://github.com/FreePBX/voicemail/commit/ffce4882016076acd16fe0f676246905aa3cb2f3https://github.com/FreePBX/voicemail/commit/ffce4882016076acd16fe0f676246905aa3cb2f3https://github.com/FreePBX/voicemail/commit/ffce4882016076acd16fe0f676246905aa3cb2f3
cveCVE-2021-4283CVE-2021-4283CVE-2021-4283
responsibleVulDBVulDBVulDB
date1672095600 (12/27/2022)1672095600 (12/27/2022)1672095600 (12/27/2022)
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_auMMM
cvss2_vuldb_ciNNN
cvss2_vuldb_iiPPP
cvss2_vuldb_aiNNN
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_eNDNDND
cvss3_vuldb_eXXX
cvss2_vuldb_basescore3.33.33.3
cvss2_vuldb_tempscore2.92.92.9
cvss3_vuldb_basescore2.42.42.4
cvss3_vuldb_tempscore2.32.32.3
cvss3_meta_basescore2.42.43.4
cvss3_meta_tempscore2.32.33.4
price_0day$0-$5k$0-$5k$0-$5k
cve_assigned1672095600 (12/27/2022)1672095600 (12/27/2022)
cve_nvd_summaryA vulnerability was found in FreeBPX voicemail. It has been rated as problematic. Affected by this issue is some unknown functionality of the file views/ssettings.php of the component Settings Handler. The manipulation of the argument key leads to cross site scripting. The attack may be launched remotely. Upgrading to version 14.0.6.25 is able to address this issue. The name of the patch is ffce4882016076acd16fe0f676246905aa3cb2f3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216872.A vulnerability was found in FreeBPX voicemail. It has been rated as problematic. Affected by this issue is some unknown functionality of the file views/ssettings.php of the component Settings Handler. The manipulation of the argument key leads to cross site scripting. The attack may be launched remotely. Upgrading to version 14.0.6.25 is able to address this issue. The name of the patch is ffce4882016076acd16fe0f676246905aa3cb2f3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216872.
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prL
cvss3_nvd_uiR
cvss3_nvd_sC
cvss3_nvd_cL
cvss3_nvd_iL
cvss3_nvd_aN
cvss3_cna_avN
cvss3_cna_acL
cvss3_cna_prH
cvss3_cna_uiR
cvss3_cna_sU
cvss3_cna_cN
cvss3_cna_iL
cvss3_cna_aN
cve_cnaVulDB
cvss3_nvd_basescore5.4
cvss3_cna_basescore2.4

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!