CVE-2020-7351

HIGH

Netfortris Trixbox < 2.8.0.4 - OS Command Injection

Title source: rule

Description

An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the "asterisk" user. Note that Trixbox Community Edition has been unsupported by the vendor since 2012. This issue affects: Fonality Trixbox Community Edition, versions 1.2.0 through 2.8.0.4. Versions 1.0 and 1.1 are unaffected.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Anastasios Stasinopoulos (@ancst) · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/157565/TrixBox-CE-2.8.0.4-Command-Execution.html

[Exploit, Issue Tracking, Patch, Third Party Advisory] https://github.com/rapid7/metasploit-framework/pull/13353

Scores

CVSS v3 7.3

EPSS 0.6886

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Details

CWE

CWE-78

Status published

Products (1)

netfortris/trixbox 1.2.0 - 2.8.0.4

Published May 01, 2020

Tracked Since Feb 18, 2026