FreePBX Reflected Cross-Site Scripting Vulnerability in Asterisk HTTP Status Page

A reflected cross-site scripting vulnerability has been identified in the Asterisk HTTP Status page, which is managed through the FreePBX interface. This issue affects FreePBX 16 versions prior to 16.0.68.39 and FreePBX 17 versions prior to 17.0.18.38. In FreePBX 16, the status page is accessible by default on any bound IP address at port 8088. For FreePBX 17, the default binding is only to localhost, reducing the vulnerability. The flaw allows unauthenticated attackers to steal cookies from users logged into the FreePBX admin panel, potentially hijacking their sessions. This could lead to unauthorized access to the admin interface, where sensitive data can be accessed, system configurations modified, backdoor accounts created, and services disrupted.

Impact

Exploitation of this vulnerability allows attackers to hijack administrative sessions, gaining control over the FreePBX admin interface. This access could be used to retrieve sensitive information, alter system settings, create unauthorized accounts, and disrupt services.

Remediation

Users can update the 'core' module to the patched versions of 16.0.68.39 for FreePBX 16 and 17.0.18.38 for FreePBX 17. Additionally, the Asterisk HTTP Status page can be restricted to localhost by changing the 'HTTP Bind Address' in 'Advanced Settings' to '127.0.0.1', then applying the configuration and restarting Asterisk. It is also advisable to log out of the admin panel after use and to prevent access from unknown IP addresses, possibly using a VPN or firewall.