{"id":"CVE-2018-19911","details":"FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.","modified":"2026-04-10T04:08:56.534928Z","published":"2018-12-06T18:29:00.297Z","references":[{"type":"EVIDENCE","url":"https://github.com/iSafeBlue/freeswitch_rce/blob/master/README-en.md"},{"type":"EVIDENCE","url":"https://github.com/iSafeBlue/freeswitch_rce/blob/master/freeswitch_rce.py"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/signalwire/freeswitch","events":[{"introduced":"0"},{"last_affected":"a98a958ac3ea9cff261aabccdc8ef0f71fac9abb"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.8.2"}]}}],"versions":["git2svn-syncpoint-master","v.1.3.12","v.15.9","v0.0.1","v1.2-rc1","v1.2-rc2","v1.3.0","v1.3.1","v1.3.10","v1.3.11","v1.3.12","v1.3.13","v1.3.14","v1.3.15","v1.3.16","v1.3.17-final","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.3.8","v1.3.9","v1.5.0","v1.5.1","v1.5.10","v1.5.12","v1.5.13","v1.5.14","v1.5.2","v1.5.5","v1.5.8","v1.5.final","v1.6.0","v1.8.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19911.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}