FreePBX XSS 2

An attacker targeting an authenticated admin can push him to click on a URL of FreePBX 14.0.10.3 specially crafted to get javascript code executed in his browser.

In the Manager module form (html\admin\modules\manager\views\form.php) an unsanitized managerdisplay variable coming from the URL is reflected in HTML leading to XSS.
It can be requested via GET request to /config.php?type=tool&display=manager…

 

Bug ID: https://issues.freepbx.org/browse/FREEPBX-20436
Fix: https://github.com/FreePBX/manager/commit/071a50983ca6a373bb2d1d3db68e9eda4667a372

Issue has been reported by Pierre Jourdan and addressed by Franck Danard in:
Manager v13.0.2.6
Manager v15.0.6

 

CVE published, NVD base score is 6.1 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16967
https://nvd.nist.gov/vuln/detail/CVE-2019-16967

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s