CVE-2024-24539

Vulnerability

FusionPBX versions before 5.2.0 lack session validation based on the client's IP address and User-Agent header. During session initialization, the application does not store a hash of these attributes (e.g., hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT')) or verify it on subsequent requests. This allows an attacker to reuse a stolen session identifier regardless of originating from a different IP or browser. The missing validation affects the session management logic in core/authentication/resources/classes and the main session startup routine. [1][2]

Exploitation

An attacker needs only a valid session ID of an authenticated user, which can be obtained via session fixation, cross-site scripting, or network sniffing on unencrypted connections. The attacker then uses that session ID from their own system (different IP and User-Agent) without any additional authentication. The vulnerable code path does not enforce any binding; it merely sets $_SESSION['authorized'] = true after login but never compares the stored IP/User-Agent hash to the current request. [1][2]

Impact

Successful exploitation results in unauthorized access to the victim's authenticated session, allowing the attacker to perform any action the victim is permitted to do within FusionPBX. This can include viewing or modifying call records, user settings, and system configurations. The confidentiality, integrity, and availability of the affected FusionPBX instance and its users are compromised, potentially leading to full account takeover. [1][2]

Mitigation

The vulnerability is fixed in FusionPBX version 5.2.0. The patch introduces session validation by storing a SHA-256 hash of the client IP and User-Agent in $_SESSION['user_hash'] upon login, and then checking this hash on each request via a new code block that destroys the session if they mismatch. Administrators should upgrade to FusionPBX 5.2.0 or later immediately. No workaround is documented; users on older versions are advised to update. [1][2]