An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.
References
Link | Resource |
---|---|
https://github.com/FreePBX/manager/commit/071a50983ca6a373bb2d1d3db68e9eda4667a372 | Patch Third Party Advisory |
https://issues.freepbx.org/browse/FREEPBX-20436 | Exploit Vendor Advisory |
https://resp3ctblog.wordpress.com/2019/10/19/freepbx-xss-2/ | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2019-10-21 20:15
Updated : 2024-02-04 20:39
NVD link : CVE-2019-16967
Mitre link : CVE-2019-16967
CVE.ORG link : CVE-2019-16967
JSON object : View
Products Affected
freepbx
- manager
sangoma
- freepbx
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')