{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-53564", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-01-09T16:47:41.549Z", "dateReserved": "2024-11-20T00:00:00", "datePublished": "2024-12-02T00:00:00"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "FreePBX", "vendor": "Sangoma", "versions": [{"status": "affected", "version": "17.0.19.17", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-09T00:01:33.346930Z"}, "references": [{"url": "https://gist.github.com/hyp164D1/490732de230edf97423f6d95b0d2f903"}, {"url": "https://gist.github.com/hyp164D1/d419bdf3e7e352088a21631d0f452a8c"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 2.2, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.0.19.17", "versionEndIncluding": "17.0.19.17"}]}]}], "tags": ["disputed"]}, "adp": [{"affected": [{"vendor": "coalescent_systems", "product": "freepbx", "cpes": ["cpe:2.3:a:coalescent_systems:freepbx:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "v17.0.19.17", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-03T15:02:52.762550Z", "id": "CVE-2024-53564", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T16:47:41.549Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-53564", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-03T15:02:52.762550Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:coalescent_systems:freepbx:*:*:*:*:*:*:*:*"], "vendor": "coalescent_systems", "product": "freepbx", "versions": [{"status": "affected", "version": "v17.0.19.17"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-03T15:06:38.663Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 2.2, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "Sangoma", "product": "FreePBX", "versions": [{"status": "affected", "version": "17.0.19.17", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://gist.github.com/hyp164D1/490732de230edf97423f6d95b0d2f903"}, {"url": "https://gist.github.com/hyp164D1/d419bdf3e7e352088a21631d0f452a8c"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "A serious vulnerability was discovered in FreePBX 17.0.19.17. FreePBX does not verify the type of uploaded files and does not restrict user access paths, allowing attackers to remotely control the FreePBX server by uploading malicious files with malicious content and accessing the default directory where the files are uploaded. This will result in particularly serious consequences."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "17.0.19.17", "versionStartIncluding": "17.0.19.17"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-08T23:58:28.406921Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53564", "state": "PUBLISHED", "dateUpdated": "2025-01-08T23:58:28.406921Z", "dateReserved": "2024-11-20T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-12-02T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do."}, {"lang": "es", "value": " Una vulnerabilidad de carga de archivos arbitrarios autenticados en el componente /module_admin/upload.php de freepbx v17.0.19.17 permite a los atacantes ejecutar c\u00f3digo arbitrario mediante la carga de un archivo manipulado espec\u00edficamente."}], "id": "CVE-2024-53564", "lastModified": "2025-01-09T17:15:15.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2024-12-02T18:15:11.353", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/hyp164D1/490732de230edf97423f6d95b0d2f903"}, {"source": "cve@mitre.org", "url": "https://gist.github.com/hyp164D1/d419bdf3e7e352088a21631d0f452a8c"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}