Fixes for a new security issue were published last night, you should see dashboard notifications of module updates available, or if you have auto update enabled for security issues, you will see dashboard notifications that the modules have been updated already.
https://wiki.freepbx.org/display/FOP/2022-04-12+SECURITY%3A+Potential+RCE+Issue
The nature of the vulnerability is the possibility of remote code execution by a UCP user, but only AFTER successful login.
So you have to have compromised credentials so I personally see this as low risk. I have no idea what the presented proof of concept was for this but I would be curious if the person who discovered this was asked to review the fix. Looking at the OSS modules I can only assume the attack vector. If I am assuming correctly the changes would break the initial proof of concept but don’t actually fix the attack vector. The attack vector is still present to anyone authenticated. One of them by simply editing client side javascript.
That’s my take. Not rushing to patch out of band.
How RCE can be low risk? Even that it was post authorization do not changes its status from high to low. Specially in systems and can easily be monetized as VoIP… 
If you have credentials there are many things you can do to the system. Some of them on purpose. If you have credentials you can actually “monitize” without needing an exploit at all. The point is if credentials have been compromised you likely have bigger concerns than an rce. Remember the difference between doing things and not doing things is authentication.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.