VYPR
Vendor

Fonality

Products
4
CVEs
11
Across products
12
Status
Private

Products

4

Recent CVEs

11
  • CVE-2016-2362CriJun 20, 2016
    risk 0.64cvss 9.8epss 0.02

    Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 has a hardcoded password for the FTP account, which allows remote attackers to obtain access via a (1) FTP or (2) SSH connection.

  • CVE-2016-2363HigJun 20, 2016
    risk 0.51cvss 7.8epss 0.01

    Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 uses weak permissions for the /var/www/rpc/surun script, which allows local users to obtain root access for unspecified command execution by leveraging access to the nobody account.

  • CVE-2016-2364HigJun 20, 2016
    risk 0.49cvss 7.5epss 0.02

    The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge…

  • CVE-2020-7351May 1, 2020
    risk 0.08cvss epss 0.65

    An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the "asterisk" user. Note that Trixbox Community Edition has been unsupported by the…

  • CVE-2014-5111Jul 28, 2014
    risk 0.05cvss epss 0.21

    Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in…

  • CVE-2008-6825Jun 5, 2009
    risk 0.05cvss epss 0.20

    Directory traversal vulnerability in user/index.php in Fonality trixbox CE 2.6.1 and earlier allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the langChoice parameter.

  • CVE-2014-5112Jul 28, 2014
    risk 0.04cvss epss 0.09

    maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter.

  • CVE-2014-5109Jul 28, 2014
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in maint/modules/endpointcfg/endpoint_generic.php in Fonality trixbox allows remote attackers to execute arbitrary SQL commands via the mac parameter in a Submit action.

  • CVE-2010-0702Feb 23, 2010
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in cisco/services/PhonecDirectory.php in Fonality Trixbox 2.2.4 allows remote attackers to execute arbitrary SQL commands via the ID parameter.

  • CVE-2014-5110Jul 28, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in user/help/html/index.php in Fonality trixbox allows remote attackers to inject arbitrary web script or HTML via the id_nodo parameter.

  • CVE-2007-6424Dec 18, 2007
    risk 0.00cvss epss 0.02

    registry.pl in Fonality Trixbox 2.0 PBX products, when running in certain environments, reads and executes a set of commands from a remote web site without sufficiently validating the origin of the commands, which allows remote attackers to disable trixbox and execute arbitrary…