I’m using gvm 21.6.1 on kali linux.
I believe there is a false positive in the detection of CVE-2020-10666.
“FreePBX 13.x <= 220.127.116.11, 14.x <= 18.104.22.168, 15.x <= 22.214.171.124 RCE Vulnerability”
The file is plugins/2021/freepbx/gb_freepbx_rce_vuln_mar20.nasl.
If one reads the vendor URL about this ->
you will see that the vulnerability exists in “restapps” (a commercial module) and not the core freepbx framework itself.
The plugin gets the version of freepbx (core framework), not the restapps module.
Because the latest version of freepbx core framework is 126.96.36.199 (at the time of writing), which is <188.8.131.52 that is the fixed restapps module version, the script falsely reports the freepbx installation as vulnerable.
How can this be fixed in a future version of the detection script?