Fonality
Products
4- 7 CVEs
- 3 CVEs
- 1 CVE
- 1 CVE
Recent CVEs
11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-2362 | Cri | 0.64 | 9.8 | 0.02 | Jun 20, 2016 | Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 has a hardcoded password for the FTP account, which allows remote attackers to obtain access via a (1) FTP or (2) SSH connection. | ||
| CVE-2016-2363 | Hig | 0.51 | 7.8 | 0.01 | Jun 20, 2016 | Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 uses weak permissions for the /var/www/rpc/surun script, which allows local users to obtain root access for unspecified command execution by leveraging access to the nobody account. | ||
| CVE-2016-2364 | Hig | 0.49 | 7.5 | 0.02 | Jun 20, 2016 | The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge… | ||
| CVE-2020-7351 | 0.08 | — | 0.65 | May 1, 2020 | An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the "asterisk" user. Note that Trixbox Community Edition has been unsupported by the… | |||
| CVE-2014-5111 | 0.05 | — | 0.21 | Jul 28, 2014 | Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in… | |||
| CVE-2008-6825 | 0.05 | — | 0.20 | Jun 5, 2009 | Directory traversal vulnerability in user/index.php in Fonality trixbox CE 2.6.1 and earlier allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the langChoice parameter. | |||
| CVE-2014-5112 | 0.04 | — | 0.09 | Jul 28, 2014 | maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter. | |||
| CVE-2014-5109 | 0.03 | — | 0.03 | Jul 28, 2014 | SQL injection vulnerability in maint/modules/endpointcfg/endpoint_generic.php in Fonality trixbox allows remote attackers to execute arbitrary SQL commands via the mac parameter in a Submit action. | |||
| CVE-2010-0702 | 0.03 | — | 0.04 | Feb 23, 2010 | SQL injection vulnerability in cisco/services/PhonecDirectory.php in Fonality Trixbox 2.2.4 allows remote attackers to execute arbitrary SQL commands via the ID parameter. | |||
| CVE-2014-5110 | 0.00 | — | 0.02 | Jul 28, 2014 | Cross-site scripting (XSS) vulnerability in user/help/html/index.php in Fonality trixbox allows remote attackers to inject arbitrary web script or HTML via the id_nodo parameter. | |||
| CVE-2007-6424 | 0.00 | — | 0.02 | Dec 18, 2007 | registry.pl in Fonality Trixbox 2.0 PBX products, when running in certain environments, reads and executes a set of commands from a remote web site without sufficiently validating the origin of the commands, which allows remote attackers to disable trixbox and execute arbitrary… |
- risk 0.64cvss 9.8epss 0.02
Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 has a hardcoded password for the FTP account, which allows remote attackers to obtain access via a (1) FTP or (2) SSH connection.
- risk 0.51cvss 7.8epss 0.01
Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 uses weak permissions for the /var/www/rpc/surun script, which allows local users to obtain root access for unspecified command execution by leveraging access to the nobody account.
- risk 0.49cvss 7.5epss 0.02
The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge…
- CVE-2020-7351May 1, 2020risk 0.08cvss —epss 0.65
An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the "asterisk" user. Note that Trixbox Community Edition has been unsupported by the…
- CVE-2014-5111Jul 28, 2014risk 0.05cvss —epss 0.21
Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in…
- CVE-2008-6825Jun 5, 2009risk 0.05cvss —epss 0.20
Directory traversal vulnerability in user/index.php in Fonality trixbox CE 2.6.1 and earlier allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the langChoice parameter.
- CVE-2014-5112Jul 28, 2014risk 0.04cvss —epss 0.09
maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter.
- CVE-2014-5109Jul 28, 2014risk 0.03cvss —epss 0.03
SQL injection vulnerability in maint/modules/endpointcfg/endpoint_generic.php in Fonality trixbox allows remote attackers to execute arbitrary SQL commands via the mac parameter in a Submit action.
- CVE-2010-0702Feb 23, 2010risk 0.03cvss —epss 0.04
SQL injection vulnerability in cisco/services/PhonecDirectory.php in Fonality Trixbox 2.2.4 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
- CVE-2014-5110Jul 28, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in user/help/html/index.php in Fonality trixbox allows remote attackers to inject arbitrary web script or HTML via the id_nodo parameter.
- CVE-2007-6424Dec 18, 2007risk 0.00cvss —epss 0.02
registry.pl in Fonality Trixbox 2.0 PBX products, when running in certain environments, reads and executes a set of commands from a remote web site without sufficiently validating the origin of the commands, which allows remote attackers to disable trixbox and execute arbitrary…