An attacker targeting an authenticated admin can push him to click on a URL of FreePBX 14.0.10.3 specially crafted to get javascript code executed in his browser.
In the Manager module form (html\admin\modules\manager\views\form.php) an unsanitized managerdisplay variable coming from the URL is reflected in HTML leading to XSS.
It can be requested via GET request to /config.php?type=tool&display=manager…
Bug ID: https://issues.freepbx.org/browse/FREEPBX-20436
Fix: https://github.com/FreePBX/manager/commit/071a50983ca6a373bb2d1d3db68e9eda4667a372
Issue has been reported by Pierre Jourdan and addressed by Franck Danard in:
Manager v13.0.2.6
Manager v15.0.6
CVE published, NVD base score is 6.1 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16967
https://nvd.nist.gov/vuln/detail/CVE-2019-16967
