CVE-2019-16967

An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:freepbx:manager:*:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:manager:*:*:*:*:*:*:*:*
cpe:2.3:a:freepbx:manager:13.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-10-21 20:15

Updated : 2024-02-04 20:39


NVD link : CVE-2019-16967

Mitre link : CVE-2019-16967

CVE.ORG link : CVE-2019-16967


JSON object : View

Products Affected

freepbx

  • manager

sangoma

  • freepbx
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')