This page lists publicly disclosed CVE vulnerabilities affecting freepbx freepbx (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2018-15891 | An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name. | [email protected] | 4.8 | 0.35% | 2019-06-20 | 2024-11-21 |
| CVE-2014-7235 | htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014. | [email protected] | 10.0 | 48.66% | 2014-10-07 | 2026-05-06 |
| CVE-2014-1903 | admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php. | [email protected] | 7.5 | 84.50% | 2014-02-18 | 2026-04-29 |
| CVE-2009-4458 | Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.2 and 2.6.0rc2, and possibly other versions, allow remote attackers to inject arbitrary web script or HTML via the (1) tech parameter to admin/admin/config.php during a trunks display action, the (2) description parameter during an Add Zap Channel action, and (3) unspecified vectors during an Add Recordings action. | [email protected] | 4.3 | 2.15% | 2009-12-30 | 2026-04-23 |
| CVE-2009-1803 | FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error messages for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. | [email protected] | 5.0 | 0.32% | 2009-05-28 | 2026-04-23 |
| CVE-2009-1802 | Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to hijack the authentication of admins for requests that create a new admin account or have unspecified other impact. | [email protected] | 6.8 | 0.14% | 2009-05-28 | 2026-04-23 |
| CVE-2009-1801 | Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to inject arbitrary web script or HTML via the (1) display parameter to reports.php, the (2) order and (3) extdisplay parameters to config.php, and the (4) sort parameter to recordings/index.php. NOTE: some of these details are obtained from third party information. | [email protected] | 4.3 | 0.47% | 2009-05-28 | 2026-04-23 |
| CVE-2007-2350 | admin/config.php in the music-on-hold module in freePBX 2.2.x allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the del parameter. | [email protected] | 6.5 | 2.29% | 2007-04-30 | 2026-04-23 |
| CVE-2007-2191 | Multiple cross-site scripting (XSS) vulnerabilities in freePBX 2.2.x allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, (3) Call-ID, (4) User-Agent, and unspecified other SIP protocol fields, which are stored in /var/log/asterisk/full and displayed by admin/modules/logfiles/asterisk-full-log.php. | [email protected] | 6.8 | 7.60% | 2007-04-24 | 2026-04-23 |