FreePBX CDR Reports Module SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the CDR Reports module of FreePBX, affecting versions prior to 16.0.50 and 17.0.11. The vulnerability arises because the 'order' and 'sort' POST parameters are not properly sanitized before being interpolated into SQL queries. This issue requires authentication with a FreePBX Administration Control Panel account that has access to the CDR section, but full administrator privileges are not necessary.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, enabling attackers to manipulate SQL queries and potentially access or modify database information.

Remediation

Users can update the CDR module to the latest version. It is also recommended to ensure that only authorized users have access to the FreePBX Administrator Control Panel, and to deny access from hostile networks using the FreePBX Firewall module.