Any change of knowing where the CVE is for this GHSA-q3h9-fmpr-vpfw? Can’t see it in Github either.
CVE-2025-62173 is now published: Authenticated SQL Injection in Phone Apps REST API · Advisory · FreePBX/security-reporting · GitHub
Why does it give warnings all over dashboard, and give it that god awful amber colour in module admin, when the commercial phone apps is not installed, not even on system - totally removed, it shouldnt say anything if it aint installed at all, unnecessary FUD for those who removed it.
Would you please consider posting some screenshots from Module Admin and maybe output of ls -last /var/www/html/admin/modules/ ?
I’m 2 weeks into my vacation, as such I regrettably can not access the web interface, but my VPN link allows me to access the PBX, I’ll try attach the ls output.
OK, that eventually worked.
Merry Christmas
modules.txt.tgz (1.3 KB)
Near the top of that modules list is restapps (which is the machine name for Phone Apps):
total 464
4 drwxrwxr-x 116 asterisk asterisk 4096 Dec 15 03:35 .
4 drwxrwxr-x 2 asterisk asterisk 4096 Dec 15 03:35 _cache
4 drwxrwxr-x 5 asterisk asterisk 4096 Dec 15 03:34 framework
4 drwxrwxr-x 20 asterisk asterisk 4096 Dec 8 02:28 core
4 drwxrwxr-x 12 asterisk asterisk 4096 Dec 3 20:18 restapps