Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
PR:L confirmed by PERM_READ requirement; C:H for full credential disclosure; I:N and A:N as exploitation is read-only log access.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_reset_password in Tools/ResetPassword.php:48-53 returned a plaintext password and fm_add_extension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode those responses into oc_audit_log.detail, allowing any PERM_READ caller with access to fm_audit_search to recover the stored credentials. This issue is fixed in version 1.6.2.
AnalysisAI
Plaintext credential exposure in Frogman's audit logging pipeline allows any authenticated low-privilege user holding PERM_READ access to recover passwords and extension secrets set by administrative operations. Frogman versions prior to 1.6.2 encode full tool response payloads - including the plaintext password returned by fm_reset_password and the plaintext secret returned by fm_add_extension - directly into the oc_audit_log.detail column via auditOutcome in Frogman.class.php. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Frogman session token or credentials at the PERM_READ privilege level - the minimum authenticated tier - and network access to the Frogman HTTP API or MCP endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N accurately characterizes the threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any PERM_READ credential - for example through phishing a monitoring account or exploiting a separate low-severity authentication bypass - authenticates to the Frogman HTTP API or MCP endpoint and invokes fm_audit_search to retrieve oc_audit_log entries. The query returns JSON-encoded detail fields containing the plaintext passwords from prior fm_reset_password calls and the plaintext extension secrets from fm_add_extension calls, which the attacker then uses to authenticate directly to PBX extensions or escalate to administrative accounts. … |
| Remediation | The primary fix is to upgrade Frogman to version 1.6.2, which introduces the redactSensitive() method in Frogman.class.php to strip known credential keys (password, secret, token, vmpwd, umpassword, umpwd, api_key, apikey) from audit log writes, and simultaneously elevates the fm_audit_search permission gate from PERM_READ to PERM_ADMIN in AuditSearch.php. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44999