FreePBX XSS 1

An attacker targeting an authenticated admin can push him to click on a URL of FreePBX 14.0.10.3 specially crafted to get javascript code executed in his browser.

In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php) an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions leading to XSS.
It can be requested via GET request to /admin/ajax.php?module=contactmanager…

 

Bug ID: https://issues.freepbx.org/browse/FREEPBX-20437

Fix: https://github.com/FreePBX/contactmanager/commit/99e5aa0050224289cfe64c9036f38ce2531bf633
Issue has been reported by Pierre Jourdan and addressed by Franck Danard in:
Contactmanager v13.0.45.3
Contactmanager v14.0.5.12
Contactmanager v15.0.8.21

 

CVE published, NVD base score is 6.1 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16966
https://nvd.nist.gov/vuln/detail/CVE-2019-16966

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s