Description: Issabel-pbx v.4.0.0-6 is vulnerable to Broken Access Control. The Directory Listing vulnerability allows any remote attacker to view the application's sensitive files within the modules directory of the application without any authorization.
Vulnerable Product Version: issabel-pbx 4.0.0-6
Date: 10/07/2023
CVE: CVE-2023-37599
CVE Author: Sahil Ojha
Vendor Homepage: https://www.issabel.org/
Software Link: https://github.com/IssabelFoundation/issabelPBX
Tested on: Windows
Steps to reproduce:
- Navigate to URL: https://{Issabel IP}/module. I found out that many important files of application can be accessed directly from this directory listing.
