CVE-2026-44238
Description
FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FreePBX CDR Reports module contains a SQL injection in the ORDER BY clause via the order and sort parameters, requiring authenticated access with CDR permissions.
Vulnerability
FreePBX versions prior to 16.0.50 and 17.0.11 have a SQL injection vulnerability in the CDR Reports module page. The order and sort POST parameters are interpolated directly into the ORDER BY clause of SQL queries after processing by escapeSimple(), which only escapes single quotes and is ineffective for structural SQL injection in unquoted ORDER BY contexts [1].
Exploitation
An attacker needs authentication as a FreePBX Administration Control Panel account with CDR section access. Full administrator privileges are not required. The attacker can send crafted POST requests with malicious values in the order and sort parameters to perform SQL injection [1].
Impact
Successful exploitation allows the attacker to view data directly within the database, potentially disclosing sensitive information. The CVSS 4.0 base score is 8.5 (High) with impacts on confidentiality and integrity [1].
Mitigation
Update the cdr module to version 16.0.50 or 17.0.11, which contain the fix. Additional mitigations include restricting access to the FreePBX Administrator Control Panel to authorized users, using VPN, MFA, or SAML modules, and denying access from hostile networks via the FreePBX Firewall module [1].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <16.0.50,<17.0.11
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-controlled `order` and `sort` POST parameters are interpolated directly into the ORDER BY clause of SQL queries after insufficient escaping that only handles single quotes."
Attack vector
An attacker with a FreePBX Administration Control Panel account that has CDR section access (full administrator privileges are not required) sends crafted `order` and `sort` POST parameters to the CDR Reports page. These values are interpolated directly into the ORDER BY clause after only single-quote escaping, which does not prevent structural SQL injection [ref_id=1]. The attack is network-accessible and requires no special network position beyond access to the ACP.
Affected code
The CDR Reports module page (`page.cdr.php`) interpolates user-controlled `order` and `sort` POST parameters directly into the ORDER BY clause of SQL queries. The `escapeSimple()` function only escapes single quotes, which is insufficient for structural SQL injection in unquoted ORDER BY contexts [ref_id=1].
What the fix does
The advisory states that the fix is to update the cdr module to version 16.0.50 or 17.0.11 [ref_id=1]. No patch diff is provided in the bundle, but the advisory notes that a prior fix (GHSA-59gp-632h-c54v) addressed the LIMIT parameter in the same file but did not cover ORDER BY or sort direction, implying the current fix extends proper parameterization or validation to those parameters.
Preconditions
- authAttacker must have a FreePBX Administration Control Panel account with CDR section access.
- networkAttacker must be able to reach the FreePBX ACP over the network.
- inputThe CDR Reports module page must be accessible and accept POST parameters.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.