FreePBX CDR Module SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the FreePBX CDR (Call Data Record) module, affecting versions prior to 16.0.49 and 17.0.7. The vulnerability arises from inadequate input sanitization of certain LIMIT parameters in SQL queries, allowing user-controlled input to be directly injected into the database queries. This could enable an attacker to manipulate or view database information. Exploitation requires authentication with a known username.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, where an attacker can execute arbitrary SQL commands. This could lead to unauthorized data access or manipulation within the database.

Remediation

Users are advised to update the CDR module to the latest version. Additionally, access to the FreePBX Administrator Control Panel should be restricted to authorized users, and hostile network access should be denied using the FreePBX Firewall module.