Approved changes feed: RSS · Atom
cpe:2.3:a:freepbx:endpoint:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Freepbx (d2522fe8-489d-5eaf-bf22-7a0d08f83c2b) |
|---|---|
| Product | Endpoint (e855ba4f-bc04-5f72-9b8a-7703ee915863) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-67513 |
vulnerable | 2026-06-03 15:11:01.694334 |
FreePBX Endpoint Manager's Weak Default Password Allows Unauthenticated Access in Endpoint Module REST API
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10.
Published: 2025-12-10T22:43:06.673Z
Updated: 2026-02-13T22:10:39.773Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-61675 |
vulnerable | 2026-06-03 15:07:56.998257 |
FreePBX Endpoint Manager vulnerable to authenticated SQL injection in multiple configuration parameters
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17.
Published: 2025-10-14T19:30:27.362Z
Updated: 2026-02-13T22:02:48.373Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-59051 |
vulnerable | 2026-06-03 15:06:23.437527 |
FreePBX Endpoint Manager command injection via Network Scanning feature
The FreePBX Endpoint Manager module includes a Network Scanning feature that provides web-based access to nmap functionality for network device discovery. In Endpoint Manager 16 before 16.0.92 and 17 before 17.0.6, insufficiently sanitized user-supplied input allows authenticated OS command execution as the asterisk user. Authentication with a known username is required. Updating to Endpoint Manager 16.0.92 or 17.0.6 addresses the issue.
Published: 2025-10-14T19:15:54.440Z
Updated: 2026-02-13T21:59:27.391Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-57819 |
vulnerable | 2026-06-03 15:05:00.088001 |
FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE
FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
Published: 2025-08-28T16:45:18.749Z
Updated: 2026-02-26T17:47:51.014Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.