Endpoint Security Issues GHSA-qgj3-f9gj-98v9, GHSA-292p-rj6h-54cp - Details?

Commercial Modules
1

My FreePBX server set me an email stating that: endpoint has been automatically upgraded to fix security issues: GHSA-qgj3-f9gj-98v9, GHSA-292p-rj6h-54cp.

While that’s great, I can’t seem to find what issues were addressed. There doesn’t appear to be anything listed here: Security Overview · FreePBX/security-reporting · GitHub and the release notes for the package are as uninformative as usual:

17.0.6: Strengthened data validation and SQL injection protection
17.0.4: Fixing FREEI-2286 Sanitizing the subnet input field for network scan.
17.0.3: Adding validation for the AJAX request parameters.

Could someone reveal what the problems were?

Update: Just after I wrote this the GUI was stating that I needed to update to endpoint 17.0.6 to address these issues. Only 17.0.3 was installed and I have now manually installed 17.0.6 just now. Was the message saying that endpoint had autoupdated incorrect?

1 Like
2

Yes :wink:

…is a good high-level summary, thank you. Some more details will be published soon.

That doesn’t sound quite right :thinking:

Couple of questions:

  1. What is the frequency/schedule of your module updates ?
  2. What is the output of $ fwconsole setting MODULE_REPO on the affected system(s) ?
3

Three GHSA issues related to endpoint were published 2025-10-14T17:30:00Z covering the following CVEs:

  1. CVE-2025-59051 / GHSA-qgj3-f9gj-98v9
  2. CVE-2025-61675 / GHSA-292p-rj6h-54cp
  3. CVE-2025-61678 / GHSA-7p8x-8m3m-58j9

Please note that the above three issues all score at the same 0.9 (out of 10.0) on a modified CVSS 4.1 score (as discussed in my blog post from last month.)

Also @gsiemon would you please share the requested information regarding your module repository configuration details (e.g. MODULE_REPO setting) so that the (potential) security notification/update issue may be investigated further (along with your current FreePBX module versions, especially framework) ?

4 
root@freepbx:~# fwconsole setting MODULE_REPO
Setting of "MODULE_REPO" is (text)[https://mirror.freepbx.org]

I have the following settings in Module Admin:

  • Automatic Module Updates: Email Only
  • Automatic Module Security Updates: Enabled
  • Check for Updates every: Day between 8am and 12pm

Yesterday, at 11:04am (local time here in Australia) I received an email from the server with this:
endpoint has been automatically upgraded to fix security issues:
GHSA-qgj3-f9gj-98v9, GHSA-292p-rj6h-54cp

When I logged into the GUI I found endpoint at 17.0.3. I then subsequently found a notification in the GUI saying that I needed to upgrade to endpoint 17.0.6. It wasn’t showing as available when clicking on Check Online via Module Admin or fwconsole ma upgradeall and I ended up briefly switching my repo_mirror setting to the clearlyip one before I could download 17.0.6. I’ve previously had “temporary” issues getting access to updated modules from the FreePBX mirror servers (which ever one I’m hitting from Australia doesn’t seem to have the updates) but each time I’ve raised it Sangoma says that there’s no problem.

This is a fully up to date FreePBX 17 install (script install and the restored backup from FreePBX 16 server about 3 months ago). Framework version is 17.0.21, Core is at 17.0.18.34 (about to update to .38 which seems to have another vulnerability: GHSA-c8g7-475j-fwcc). Let me know if you want further version numbers.

5

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.