CVE-2007-2191

Freepbx - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in freePBX 2.2.x allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, (3) Call-ID, (4) User-Agent, and unspecified other SIP protocol fields, which are stored in /var/log/asterisk/full and displayed by admin/modules/logfiles/asterisk-full-log.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by XenoMuta · phpremotemultiple

https://www.exploit-db.com/exploits/29873

View Code ZIP pw:eip

References (7)

[Exploit] http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053882.html

[Third Party Advisory, VDB Entry] http://osvdb.org/35315

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/33772

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/23575

[Third Party Advisory] http://secunia.com/advisories/24935

[Third Party Advisory] http://www.vupen.com/english/advisories/2007/1535

[Third Party Advisory] http://securityreason.com/securityalert/2627

Scores

EPSS 0.0760

EPSS Percentile 91.9%

Details

Status published

Products (2)

freepbx/freepbx 2.2.1

freepbx/freepbx 2.2_rc1

Published Apr 24, 2007

Tracked Since Feb 18, 2026