How to read details on security vulnerabilities reported in the FreePBX main screen?

There is a CDR vulnerability I would like to read more about. I see the warning in the FreePBX main screen like normal but there doesn’t seem to be a way to learn more by clicking on it etc. I have searched this forum and Google for the code shown SEC-2015-001, the full and partial text of the message. I have checked the Wiki, I found a bug list tracker but was unable to find anything related to this warning. I am sure it’s in some obvious place but, could someone be so kind to point me in the right direction? I would like to find details on the warning below as well as future warnings. Thanks.

Warning Text:
cdr (Cur v. 12.0.5) should be upgraded to v. 12.0.17 to fix security issues: SEC-2015-001

Some things are better off not been made public.

Why not just upgrade the module to address?

This was super minor so it didn’t warrant any major parade or announcement. The gist is as follows.

A community member noted that while logged in they could inject sql commands in to the cdr module.

Because this required authentication and had no privilege or remote code vectors it is not considered a big deal. Because this was originally posted to our security team it did get a security designation on release.

There are no secrets here. Please note all of the FreePBX code is available at http://git.freepbx.org and mirrored on github.com/FreePBX so you can see all commits and changes between tags.

Remember if you find any potential security issues major or minor let us know by sending an email to [email protected].

1 Like

Thanks so much! I do appreciate the details; our IT management likes to look at things very carefully before applying updates so this is very helpful.

(Not OP)