An attacker targeting an authenticated admin can push him to click on a URL of FreePBX 14.0.10.3 specially crafted to get javascript code executed in his browser.
In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php) an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions leading to XSS.
It can be requested via GET request to /admin/ajax.php?module=contactmanager…
Bug ID: https://issues.freepbx.org/browse/FREEPBX-20437
Fix: https://github.com/FreePBX/contactmanager/commit/99e5aa0050224289cfe64c9036f38ce2531bf633
Issue has been reported by Pierre Jourdan and addressed by Franck Danard in:
Contactmanager v13.0.45.3
Contactmanager v14.0.5.12
Contactmanager v15.0.8.21
CVE published, NVD base score is 6.1 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16966
https://nvd.nist.gov/vuln/detail/CVE-2019-16966
