Sangoma Freepbx vulnerabilities
40 known vulnerabilities affecting sangoma/freepbx.
Total CVEs
40
CISA KEV
2
actively exploited
Public exploits
7
Exploited in wild
4
Severity breakdown
CRITICAL6HIGH19MEDIUM15
Vulnerabilities
Page 2 of 2
CVE-2020-36630P3CRITICALCVSS 9.8≥ 14.0, < 14.0.5.212022-12-25
CVE-2020-36630 [CRITICAL] CWE-89 CVE-2020-36630: A vulnerability was found in FreePBX cdr 14.0. It has been classified as critical. This affects the
A vulnerability was found in FreePBX cdr 14.0. It has been classified as critical. This affects the function ajaxHandler of the file ucp/Cdr.class.php. The manipulation of the argument limit/offset leads to sql injection. Upgrading to version 14.0.5.21 is able to address this issue. The name of the patch is f1a9eea2dfff30fb99d825bac194a676a82b9ec8.
nvd
CVE-2019-19538P3HIGHCVSS 7.2fixed in 13.0.92≥ 14.0.0.0, < 14.0.38.3+1 more2020-03-16
CVE-2019-19538 [HIGH] CVE-2019-19538: In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules h
In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation.
nvd
CVE-2025-59056P3HIGHCVSS 7.5≥ 15.0, < 15.0.38≥ 16.0, < 16.0.41+1 more2025-09-15
CVE-2025-59056 [HIGH] CWE-22 CVE-2025-59056: FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious c
FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious connections to the Administrator Control Panel web interface can cause the uninstall function to be triggered for certain modules. This function drops the module's database tables, which is where most modules store their configuration. This vulnerability
nvd
CVE-2025-67722P3HIGHCVSS 7.8≥ 16.0, < 16.0.45≥ 17.0, < 17.0.242025-12-16
CVE-2025-67722 [HIGH] CWE-426 CVE-2025-67722: FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to v
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated `amportal` utility, the lookup for the `freepbx_engine` file occurs in `/etc/
nvd
CVE-2018-6393P3HIGHCVSS 7.2v10.13.66v14.0.1.242018-01-29
CVE-2018-6393 [HIGH] CWE-89 CVE-2018-6393: FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection
FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the vendor disputes this issue because it is intentional that a user can "directly modify SQL tables ... [or] run shell scripts ... once ... logged in to the administration interface; there is no need to try to find input va
nvd
CVE-2012-4870P4MEDIUMCVSS 4.3PoC≤ 2.92012-09-06
CVE-2012-4870 [MEDIUM] CWE-79 CVE-2012-4870: Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.9 and earlier allow remote attacker
Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) context parameter to panel/index_amp.php or (2) panel/dhtml/index.php; (3) clid or (4) clidname parameters to panel/flash/mypage.php; (5) PATH_INFO to admin/views/freepbx_reload.php; or (6) login param
nvd
CVE-2024-53564P3HIGHCVSS 7.2v17.0.19.172024-12-02
CVE-2024-53564 [HIGH] CWE-434 CVE-2024-53564: A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid
A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do.
nvd
CVE-2019-25090P4MEDIUMCVSS 6.1fixed in 13.0.5.42022-12-27
CVE-2019-25090 [MEDIUM] CWE-79 CVE-2019-25090: A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic. Affect
A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic. Affected by this issue is some unknown functionality of the component Views Handler. The manipulation of the argument dataurl leads to cross site scripting. The attack may be launched remotely. Upgrading to version 13.0.5.4 is able to address this issue. The
nvd
CVE-2019-16967P4MEDIUMCVSS 6.1fixed in 14.0.10.32019-10-21
CVE-2019-16967 [MEDIUM] CWE-79 CVE-2019-16967: An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.1
An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.
nvd
CVE-2025-59429P4MEDIUMCVSS 5.4fixed in 16.0.68.39≥ 17.0.1, < 17.0.18.382025-10-14
CVE-2025-59429 [MEDIUM] CWE-79 CVE-2025-59429: FreePBX is an open source GUI for managing Asterisk. In versions prior to 16.0.68.39 for FreePBX 16
FreePBX is an open source GUI for managing Asterisk. In versions prior to 16.0.68.39 for FreePBX 16 and versions prior to 17.0.18.38 for FreePBX 17, a reflected cross-site scripting vulnerability is present on the Asterisk HTTP Status page. The Asterisk HTTP status page is exposed by FreePBX and is available by default on version 16 via any bound IP a
nvd
CVE-2019-16966P4MEDIUMCVSS 6.1v14.0.10.32019-10-21
CVE-2019-16966 [MEDIUM] CWE-79 CVE-2019-16966: An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x bef
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested vi
nvd
CVE-2009-1802P4MEDIUMCVSS 6.8v2.4.0v2.5.02009-05-28
CVE-2009-1802 [MEDIUM] CWE-352 CVE-2009-1802: Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x,
Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to hijack the authentication of admins for requests that create a new admin account or have unspecified other impact.
nvd
CVE-2009-1803P4MEDIUMCVSS 5.0v2.4.0v2.5.02009-05-28
CVE-2009-1803 [MEDIUM] CWE-200 CVE-2009-1803: FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error mes
FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error messages for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.
nvd
CVE-2019-19852P4MEDIUMCVSS 4.8≥ 13.0, ≤ 13.0.26.9≥ 14.0, ≤ 14.0.2.14+1 more2020-03-16
CVE-2019-19852 [MEDIUM] CWE-79 CVE-2019-19852: An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call E
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. This affects cel through 13.0.26.9, 14.x through 14.0.2.14, and 15.x through 15.0.15.4.
nvd
CVE-2019-19551P4MEDIUMCVSS 4.8≥ 13.0, ≤ 13.0.76.43≥ 14.0, ≤ 14.0.7+1 more2019-12-06
CVE-2019-19551 [MEDIUM] CWE-79 CVE-2019-19551: In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen o
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not being properly sanitized. If this is done and a user
nvd
CVE-2019-19851P4MEDIUMCVSS 4.8≤ 13.0.4.7≥ 14.0.0.0, ≤ 14.0.24+1 more2020-03-16
CVE-2019-19851 [MEDIUM] CWE-79 CVE-2019-19851: An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through 13.0.4.7, 14.x through 14.0.24, and 15.x through 15.0.2.20.
nvd
CVE-2018-15891P4MEDIUMCVSS 4.8fixed in 13.0.122.43≥ 14.0.0, < 14.0.18.34+2 more2019-06-20
CVE-2018-15891 [MEDIUM] CWE-79 CVE-2018-15891: An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.
nvd
CVE-2019-19615P4MEDIUMCVSS 4.8≥ 14.0.10.2, ≤ 14.0.10.72020-03-16
CVE-2019-19615 [MEDIUM] CWE-79 CVE-2019-19615: Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 fo
Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/config.php?display=backup on the FreePBX Administrator web site. An attacker can modify the id parameter of the backup configuration screen and embed malicious XSS code via a link. When another user (such as an admin) clic
nvd
CVE-2019-19552P4MEDIUMCVSS 4.8≥ 13.0, ≤ 13.0.76.43≥ 14.0, ≤ 14.0.7+1 more2019-12-06
CVE-2019-19552 [MEDIUM] CWE-79 CVE-2019-19552: In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen o
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management
nvd
CVE-2009-1801P4MEDIUMCVSS 4.3v2.4.0v2.5.02009-05-28
CVE-2009-1801 [MEDIUM] CWE-79 CVE-2009-1801: Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pr
Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to inject arbitrary web script or HTML via the (1) display parameter to reports.php, the (2) order and (3) extdisplay parameters to config.php, and the (4) sort parameter to recordings/index.php. NOTE: som
nvd
← Previous2 / 2