Last time I found new cool CTF (you will find it at VulnHub) I would like to play. This time it will be something related to some Voip-scenario... Ok. I decided that it will be a good idea to take break for a moment and check the 'latest' available ISO for FreePBX ;]
Because of some problems (VirtualBox and SNG7-PBX-64bit-1712-2) I tried the 'historical' version: 10.13.66-32bit. Below you will find results (related only to the SQL injection bug I found...
...because describing all of those XSS's is pointless).
(By the way, this one is cool too:
Maybe I will find something else/more (as soon as I will finaly finish the updates for modus.py... ;)).
In case of any questions/comments - feel free to ping me.
Thanks to CVE Team bug is now described as CVE-2018-6393.
P.S.2 - updated 31.01.2018:
It looks like the 64bit version (SNG7-PBX-64bit-1712-2) is also vulnerable:
TL;DR - FYI