{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/security-reporting-cdr-freepbx-17/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Security-Reporting cdr (FreePBX 16)","Security-Reporting cdr (FreePBX 17)","Security-Reporting dashboard (FreePBX 16)","Security-Reporting dashboard (FreePBX 17)"],"_cs_severities":["medium"],"_cs_tags":["freepbx","sql_injection","lfi","vulnerability"],"_cs_type":"threat","_cs_vendors":["FreePBX"],"content_html":"\u003cp\u003eOn May 19, 2026, FreePBX published security advisories to address vulnerabilities affecting the Security-Reporting cdr and dashboard modules in FreePBX versions 16 and 17. These vulnerabilities include an authenticated SQL Injection vulnerability (GHSA-p9fq-fmpw-2h9x) in the CDR reports due to insufficient input sanitization in the ORDER BY clause and an authenticated Local File Inclusion (LFI) vulnerability (GHSA-hw7v-v2jp-wc4v) in the dashboard module. Successful exploitation of these vulnerabilities could allow an authenticated attacker to execute arbitrary SQL queries or read sensitive files on the server. FreePBX versions affected are Security-Reporting cdr (FreePBX 16) versions 16.0.50 and prior, Security-Reporting cdr (FreePBX 17) versions 17.0.11 and prior, Security-Reporting dashboard (FreePBX 16) versions 16.0.22 and prior, and Security-Reporting dashboard (FreePBX 17) versions 17.0.5 and prior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the FreePBX web interface using valid credentials.\u003c/li\u003e\n\u003cli\u003eFor SQL Injection (GHSA-p9fq-fmpw-2h9x), the attacker navigates to the CDR Reports section of the Security-Reporting cdr module.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL payload within the ORDER BY parameter of the CDR report request. This could involve injecting SQL code into the \u003ccode\u003esort\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-controlled SQL query against the FreePBX database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information from the database, potentially including user credentials or call records.\u003c/li\u003e\n\u003cli\u003eFor Local File Inclusion (GHSA-hw7v-v2jp-wc4v), the attacker accesses the Dashboard module.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates input parameters to include directory traversal sequences, such as \u0026ldquo;../\u0026rdquo;, to access arbitrary files on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive files, such as configuration files or private keys, from the FreePBX server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to unauthorized access to sensitive information, including database credentials, call records, and system files. An attacker could potentially use the SQL injection vulnerability to gain complete control over the FreePBX database, leading to data breaches or service disruption. The LFI vulnerability could expose sensitive configuration files or private keys, potentially allowing the attacker to compromise the entire system. The number of affected systems depends on the deployment size of vulnerable FreePBX installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary updates provided by FreePBX to patch the SQL Injection (GHSA-p9fq-fmpw-2h9x) and Local File Inclusion (GHSA-hw7v-v2jp-wc4v) vulnerabilities in the Security-Reporting cdr and dashboard modules.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection attempts or directory traversal sequences targeting the affected FreePBX modules.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection and LFI vulnerabilities in web applications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious ORDER BY clauses in web requests to detect potential SQL injection attempts.\u003c/li\u003e\n\u003cli\u003eReview access controls to the FreePBX web interface and limit access to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T15:15:37Z","date_published":"2026-05-20T15:15:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-freepbx-vulns/","summary":"FreePBX released security advisories addressing authenticated SQL injection and local file inclusion vulnerabilities in the Security-Reporting cdr and dashboard modules for FreePBX 16 and 17.","title":"FreePBX Security Advisories for Security-Reporting Module Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-05-freepbx-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Security-Reporting Cdr (FreePBX 17)","version":"https://jsonfeed.org/version/1.1"}