{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47071", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-17T17:42:37.029Z", "datePublished": "2024-10-01T15:40:46.257Z", "dateUpdated": "2024-10-01T16:15:01.398Z"}, "containers": {"cna": {"title": "OSS Endpoint Manager allows unauthorized access to read system files", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-x9wc-qjrc-j7ww", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-x9wc-qjrc-j7ww"}, {"name": "https://github.com/FreePBX-ContributedModules/endpointman/commit/bad70ca3de2166bbd24f273f7f212a8b2c92a719", "tags": ["x_refsource_MISC"], "url": "https://github.com/FreePBX-ContributedModules/endpointman/commit/bad70ca3de2166bbd24f273f7f212a8b2c92a719"}], "affected": [{"vendor": "FreePBX", "product": "security-reporting", "versions": [{"version": "< 14.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-01T15:40:46.257Z"}, "descriptions": [{"lang": "en", "value": "OSS Endpoint Manager is an endpoint manager module for FreePBX. OSS Endpoint Manager module activation can allow authenticated web users unauthorized access to read system files with the permissions of the webserver process. This vulnerability is fixed in 14.0.4."}], "source": {"advisory": "GHSA-x9wc-qjrc-j7ww", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "freepbx", "product": "endpoint_manager", "cpes": ["cpe:2.3:a:freepbx:endpoint_manager:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "14.0.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-01T16:09:36.724091Z", "id": "CVE-2024-47071", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T16:15:01.398Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47071", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-01T16:09:36.724091Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:freepbx:endpoint_manager:*:*:*:*:*:*:*:*"], "vendor": "freepbx", "product": "endpoint_manager", "versions": [{"status": "affected", "version": "0", "lessThan": "14.0.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T16:11:09.553Z"}}], "cna": {"title": "OSS Endpoint Manager allows unauthorized access to read system files", "source": {"advisory": "GHSA-x9wc-qjrc-j7ww", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FreePBX", "product": "security-reporting", "versions": [{"status": "affected", "version": "< 14.0.4"}]}], "references": [{"url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-x9wc-qjrc-j7ww", "name": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-x9wc-qjrc-j7ww", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/FreePBX-ContributedModules/endpointman/commit/bad70ca3de2166bbd24f273f7f212a8b2c92a719", "name": "https://github.com/FreePBX-ContributedModules/endpointman/commit/bad70ca3de2166bbd24f273f7f212a8b2c92a719", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OSS Endpoint Manager is an endpoint manager module for FreePBX. OSS Endpoint Manager module activation can allow authenticated web users unauthorized access to read system files with the permissions of the webserver process. This vulnerability is fixed in 14.0.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-01T15:40:46.257Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47071", "state": "PUBLISHED", "dateUpdated": "2024-10-01T16:15:01.398Z", "dateReserved": "2024-09-17T17:42:37.029Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-01T15:40:46.257Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OSS Endpoint Manager is an endpoint manager module for FreePBX. OSS Endpoint Manager module activation can allow authenticated web users unauthorized access to read system files with the permissions of the webserver process. This vulnerability is fixed in 14.0.4."}, {"lang": "es", "value": "OSS Endpoint Manager es un m\u00f3dulo de administraci\u00f3n de endpoints para FreePBX. La activaci\u00f3n del m\u00f3dulo OSS Endpoint Manager puede permitir que usuarios web autenticados accedan sin autorizaci\u00f3n a archivos del sistema con los permisos del proceso del servidor web. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 14.0.4."}], "id": "CVE-2024-47071", "lastModified": "2024-10-04T13:51:25.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-01T16:15:09.637", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/FreePBX-ContributedModules/endpointman/commit/bad70ca3de2166bbd24f273f7f212a8b2c92a719"}, {"source": "security-advisories@github.com", "url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-x9wc-qjrc-j7ww"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}