CVE-2019-16966

An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:freepbx:contactmanager:*:*:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:*:*:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:*:*:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:13.0.0:beta1:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:13.0.0:beta2:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:13.0.0:beta3:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:13.0.0:beta4:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:13.0.0:beta5:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:14.0.1:-:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:14.0.1:alpha1:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:14.0.1:alpha2:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:14.0.1:beta1:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:14.0.1:beta2:*:*:*:freepbx:*:*
cpe:2.3:a:freepbx:contactmanager:14.0.1:beta3:*:*:*:freepbx:*:*
cpe:2.3:a:sangoma:freepbx:14.0.10.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-10-21 19:15

Updated : 2024-02-04 20:39


NVD link : CVE-2019-16966

Mitre link : CVE-2019-16966

CVE.ORG link : CVE-2019-16966


JSON object : View

Products Affected

sangoma

  • freepbx

freepbx

  • contactmanager
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')