CVE-2014-7235
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- September 30, 2014
- Published Date
- October 07, 2014
- Last Updated
- August 06, 2024
- Vendor
- FreePBX
- Product
- ARI Framework module/Asterisk Recording Interface (ARI)
- Description
- htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.
- Tags
- Exploited in the Wild
- Yes (2014-10-07 14:00:00 UTC) Source
php
CVSS Scores
CVSS v2.0
10.0
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Exploit Status
References
http://packetstormsecurity.com/files/128516/FreePBX-Authentication-Bypass-Account-Creation.html
http://secunia.com/advisories/61601
https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836
http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536
https://exchange.xforce.ibmcloud.com/vulnerabilities/96790
https://www.exploit-db.com/exploits/41005/
http://www.securityfocus.com/bid/70188
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CVE | 2014-10-07 14:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel