| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.2 | $0-$5k | 0.00 |
Summary
A vulnerability was found in FreePBX 2.9/2.10. It has been rated as critical. Affected by this issue is some unknown functionality of the file callme_page.php. The manipulation of the argument action leads to code injection. This vulnerability is uniquely identified as CVE-2012-4869. Moreover, an exploit is present. To fix this issue, it is recommended to deploy a patch.
Details
A vulnerability, which was classified as critical, has been found in FreePBX 2.9/2.10. This issue affects an unknown function of the file callme_page.php. The manipulation of the argument action with an unknown input leads to a code injection vulnerability. Using CWE to declare the problem leads to CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Impacted is confidentiality, and integrity. The summary by CVE is:
The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.
The weakness was disclosed 03/22/2012 by Martin Tschirsich with Technische Universität Darmstadt as confirmed mailinglist post (Full-Disclosure). It is possible to read the advisory at archives.neohapsis.com. The vendor was not involved in the public release. The identification of this vulnerability is CVE-2012-4869 since 09/06/2012. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known. The attack technique deployed by this issue is T1059 according to MITRE ATT&CK.
A public exploit has been developed by Martin Tschirsich and been published 1 days after the advisory. The exploit is available at archives.neohapsis.com. It is declared as highly functional. By approaching the search of inurl:callme_page.php it is possible to find vulnerable targets with Google Hacking.
Applying the patch Unofficial Patch is able to eliminate this problem. The bugfix is ready for download at archives.neohapsis.com. A possible mitigation has been published before and not just after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (74174), Exploit-DB (18649), SecurityFocus (BID 52630†), OSVDB (80544†) and Secunia (SA48475†). The entries VDB-4902, VDB-4903, VDB-4904 and VDB-4905 are pretty similar. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.1VulDB Meta Temp Score: 8.2
VulDB Base Score: 9.1
VulDB Temp Score: 8.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Code injectionCWE: CWE-94 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Highly functional
Author: Martin Tschirsich
Download: 🔍
Google Hack: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
OpenVAS ID: 902823
OpenVAS Name: FreePBX Multiple Cross Site Scripting and Remote Command Execution Vulnerabilities
OpenVAS File: 🔍
OpenVAS Family: 🔍
MetaSploit ID: freepbx_callmenum.rb
MetaSploit Name: FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
MetaSploit File: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Patch: Unofficial Patch
Timeline
03/20/2012 🔍03/20/2012 🔍
03/22/2012 🔍
03/22/2012 🔍
03/23/2012 🔍
03/26/2012 🔍
03/29/2012 🔍
09/06/2012 🔍
09/06/2012 🔍
01/13/2025 🔍
Sources
Advisory: archives.neohapsis.comResearcher: Martin Tschirsich
Organization: Technische Universität Darmstadt
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2012-4869 (🔍)
GCVE (CVE): GCVE-0-2012-4869
GCVE (VulDB): GCVE-100-4907
X-Force: 74174 - FreePBX callme_page.php command execution
SecurityFocus: 52630 - FreePBX Multiple Cross Site Scripting and Remote Command Execution Vulnerabilities
Secunia: 48475 - FreePBX Multiple Cross-Site Scripting Vulnerabilities, Less Critical
OSVDB: 80544
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 03/29/2012 17:30Updated: 01/13/2025 03:37
Changes: 03/29/2012 17:30 (81), 04/26/2018 10:46 (7), 01/13/2025 03:37 (16)
Complete: 🔍
Cache ID: 216:6FE:103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.