This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Path Traversal in Xorcom CompletePBX. <br>π₯ **Consequences**: Attackers can read arbitrary files on the server. Critical data exposure risk.
π’ **Vendor**: Xorcom. <br>π¦ **Product**: CompletePBX. <br>π **Affected**: Version 5.2.35 and earlier. Newer versions are safe.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Action**: Read arbitrary system files. <br>π **Privileges**: Requires Local Privileges (PR:L). <br>π **Impact**: High Confidentiality (C:H), No Integrity/Availability impact.
Q5Is exploitation threshold high? (Auth/Config)
π **Auth**: YES. Requires Local Privileges. <br>π **Network**: Network Accessible (AV:N). <br>β οΈ **Threshold**: Medium. Not remote unauthenticated, but local network access is sufficient.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Public Exp?**: No PoCs listed in data. <br>π **Wild Exp**: Low. Likely requires specific local access or crafted requests by authenticated users.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for CompletePBX instances. <br>π§ͺ **Test**: Attempt path traversal payloads (`../`) if local access is granted. <br>π **Verify**: Check installed version against 5.2.35.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: YES. <br>π₯ **Patch**: Update to version 5.2.36.1. <br>π **Source**: Xorcom vendor advisory released March 2025.
Q9What if no patch? (Workaround)
π‘οΈ **Workaround**: Restrict network access to PBX. <br>π« **Limit**: Ensure only trusted local users have access. <br>π **Monitor**: Log file access attempts closely.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: HIGH. <br>βοΈ **Reason**: CVSS 7.5 (High). Easy to exploit (AC:L) if local access exists. <br>π **Action**: Patch immediately to 5.2.36.1.