VYPR

Framework

by Freepbx

Source repositories

CVEs (7)

  • CVE-2018-6393HigJan 29, 2018
    risk 0.47cvss 7.2epss 0.02

    FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the vendor disputes this issue because it is intentional that a user can "directly modify SQL tables ... [or] run shell scripts ... once ... logged…

  • CVE-2025-66039Dec 9, 2025
    risk 0.03cvss epss 0.03

    FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated…

  • CVE-2025-67736Dec 16, 2025
    risk 0.00cvss epss 0.06

    The FreePBX module tts (Text to Speech) for FreePBX, an open-source web-based graphical user interface (GUI) that manages Asterisk. Versions prior to 16.0.5 and 17.0.5 are vulnerable to SQL injection by authenticated users with administrator access. Authenticated users with…

  • CVE-2025-67722Dec 16, 2025
    risk 0.00cvss epss 0.00

    FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated…

  • CVE-2025-59056Sep 15, 2025
    risk 0.00cvss epss 0.00

    FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious connections to the Administrator Control Panel web interface can cause the uninstall function to be triggered for certain modules. This function drops the module's database tables,…

  • CVE-2025-55211Sep 15, 2025
    risk 0.00cvss epss 0.00

    FreePBX is an open-source web-based graphical user interface. From 17.0.19.11 to before 17.0.21, authenticated users of the Administrator Control Panel (ACP) can run arbitrary shell commands by maliciously changing languages of the framework module. This vulnerability is fixed…

  • CVE-2014-7235Oct 7, 2014
    risk 0.00cvss epss 0.43

    htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as…