CVE-2014-7235

Published: Oct 7, 2014Modified: May 6, 2026

10.0

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability: 10.0 / Impact: 10.0

Source: NVD

Description

htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014.

Affected (22)

Products: Freepbx: Freepbx · Sangoma: Freepbx

1 product

1 product

Configuration A

22 vulnerable

Vulnerable Software	Affected Versions
Freepbx Freepbx	Version 2.10.0.0
Freepbx Freepbx	Version 2.10.0.10
Freepbx Freepbx	Version 2.10.0.1
Freepbx Freepbx	Version 2.10.0.2
Freepbx Freepbx	Version 2.10.0.3
Freepbx Freepbx	Version 2.10.0.4
Freepbx Freepbx	Version 2.10.0.5
Freepbx Freepbx	Version 2.10.0.6
Freepbx Freepbx	Version 2.10.0.7
Freepbx Freepbx	Version 2.10.0.8
Freepbx Freepbx	Version 2.10.0.9
Freepbx Freepbx	Version 2.11.1.0
Freepbx Freepbx	Version 2.11.1.1
Freepbx Freepbx	Version 2.11.1.2
Freepbx Freepbx	Version 2.11.1.3
Freepbx Freepbx	Version 2.11.1.4
Sangoma Freepbx	Up to 2.9.0.8
Sangoma Freepbx	Version 2.11.0.0
Sangoma Freepbx	Version 2.11.0.1
Sangoma Freepbx	Version 2.11.0.2
Sangoma Freepbx	Version 2.11.0.3
Sangoma Freepbx	Version 2.11.0.4

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (14)

http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536

Source: cve@mitre.org

http://packetstormsecurity.com/files/128516/FreePBX-Authentication-Bypass-Account-Creation.html

Source: cve@mitre.org

http://secunia.com/advisories/61601

Source: cve@mitre.org

http://www.securityfocus.com/bid/70188

Source: cve@mitre.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/96790

Source: cve@mitre.org

https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836

Source: cve@mitre.org

https://www.exploit-db.com/exploits/41005/

Source: cve@mitre.org

http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536

Source: af854a3a-2127-422b-91ae-364da2661108

http://packetstormsecurity.com/files/128516/FreePBX-Authentication-Bypass-Account-Creation.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/61601

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/70188

Source: af854a3a-2127-422b-91ae-364da2661108

https://exchange.xforce.ibmcloud.com/vulnerabilities/96790

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.exploit-db.com/exploits/41005/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.