Various CSS and CSRF vulnerabilities are present within FreePBX including the User Portal (ARI) and the Reports application within FreePBX. These vulnerabilities would only effect an already authenticated login to FreePBX and given the nature of the vulnerabilities, they are very low risk although they are real and will be addressed immediately.
There is also a User Account Enumeration issue in the ARI.
These issues exist in most releases of FreePBX, fixes will be provided for 2.4, 2.5 and trunk (soon to be 2.6).
The vulnerabilities were reported with discretion by Secunia Research and will be published shortly on their site as Secunia Advisory SA34772: