CVE-2012-4869 Information

Description

The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9 2.10 and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.

Reference

http://packetstormsecurity.org/files/111028/FreePBX-2.10.0-Remote-Command-Execution-XSS.html http://seclists.org/fulldisclosure/2012/Mar/234 http://secunia.com/advisories/48463 http://www.exploit-db.com/exploits/18649 http://www.exploit-db.com/exploits/18659 http://www.freepbx.org/trac/ticket/5711 http://www.securityfocus.com/bid/52630 https://exchange.xforce.ibmcloud.com/vulnerabilities/74174