CVE-2009-4458

FreePBX 2.5.2 and 2.6.0rc2 - Cross-Site Scripting via Tech Parameter and Description Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-4458. PoCs published by Global-Evolution.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in FreePBX 2.5.2 by injecting malicious script code into the 'description' field of a form. It also includes a PHP script to capture cookies via a crafted GET request.

Description

Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.2 and 2.6.0rc2, and possibly other versions, allow remote attackers to inject arbitrary web script or HTML via the (1) tech parameter to admin/admin/config.php during a trunks display action, the (2) description parameter during an Add Zap Channel action, and (3) unspecified vectors during an Add Recordings action.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Global-Evolution · textwebappsphp
https://www.exploit-db.com/exploits/33443

This exploit demonstrates a cross-site scripting (XSS) vulnerability in FreePBX 2.5.2 by injecting malicious script code into the 'description' field of a form. It also includes a PHP script to capture cookies via a crafted GET request.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: FreePBX 2.5.2
Auth required
Prerequisites: Access to a vulnerable FreePBX instance · User interaction to submit the malicious form
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Global-Evolution · textwebappsphp
https://www.exploit-db.com/exploits/33442

This exploit demonstrates a cross-site scripting (XSS) vulnerability in FreePBX by injecting malicious script code via the 'tech' parameter in the URL. The script steals the user's cookie and sends it to an attacker-controlled server.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: FreePBX 2.5.2
No auth needed
Prerequisites: Victim must visit the crafted URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Global-Evolution · textwebappsphp
https://www.exploit-db.com/exploits/10645

This exploit demonstrates multiple XSS vulnerabilities in FreePBX, including client-side and server-side attacks. It provides proof-of-concept code for injecting malicious scripts to steal session data (cookies) via crafted URLs and form inputs.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: FreePBX v2.6.x & 2.5.2.x
Auth required
Prerequisites: Access to the admin interface · Low-privileged user account
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/61357
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/55054
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/10645
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37972
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/55053
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/61358
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37482

Scores

EPSS 0.0185
EPSS Percentile 76.3%

Details

CWE
CWE-79
Status published
Products (2)
freepbx/freepbx 2.5.2
freepbx/freepbx 2.6.0 rc2
Published Dec 30, 2009
Tracked Since Feb 18, 2026