CVE-2007-2191 - Multiple cross-site scripting (XSS) vulnerabilities in freePBX 2.2.x allow remote attackers to injec

CVE-2007-2191

Summary

Multiple cross-site scripting (XSS) vulnerabilities in freePBX 2.2.x allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, (3) Call-ID, (4) User-Agent, and unspecified other SIP protocol fields, which are stored in /var/log/asterisk/full and displayed by admin/modules/logfiles/asterisk-full-log.php.

References

Vulnerable Configurations

cpe:2.3:o:bsd:bsd:*:*:*:*:*:*:*:*
cpe:2.3:o:bsd:bsd:*:*:*:*:*:*:*:*
cpe:2.3:o:hp:hp-ux:*:*:*:*:*:*:*:*
cpe:2.3:o:hp:hp-ux:*:*:*:*:*:*:*:*
cpe:2.3:o:hp:tru64:*:*:*:*:*:*:*:*
cpe:2.3:o:hp:tru64:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:santa_cruz_operation:sco_unix:*:*:*:*:*:*:*:*
cpe:2.3:o:santa_cruz_operation:sco_unix:*:*:*:*:*:*:*:*
cpe:2.3:o:sun:solaris:*:*:*:*:*:*:*:*
cpe:2.3:o:sun:solaris:*:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.2_rc1:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:freepbx:2.2_rc1:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 29-07-2017 - 01:31)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bid	23575
fulldisc	20070419 XSS in freePBX 2.2.x portal's Asterisk Log tool
osvdb	35315
secunia	24935
sreason	2627
vupen	ADV-2007-1535
xf	freepbx-sip-xss(33772)

Last major update

29-07-2017 - 01:31

Published

24-04-2007 - 17:19

Last modified

29-07-2017 - 01:31