Cross-Site Scripting Vulnerability in Contactmanager for FreePBX
CVE-2019-16966

6.1MEDIUM

Key Information:

Vendor

Freepbx

Status
Contactmanager
Freepbx
Vendor
CVE Published:
21 October 2019

What is CVE-2019-16966?

A cross-site scripting issue exists in the Contactmanager component of FreePBX. This vulnerability occurs due to the lack of proper sanitization of a group variable that is reflected in the HTML output. Specifically, attackers can exploit this by manipulating the URL and executing a GET request to /admin/ajax.php?module=contactmanager. Unvalidated input can lead to unauthorized actions or compromise the security of the application, highlighting the importance of input validation in web applications.

References

https://issues.freepbx.org/browse/FREEPBX-20437
x_refsource_MISC
https://github.com/FreePBX/contactmanager/commit/99e5aa00...
x_refsource_MISC
https://resp3ctblog.wordpress.com/2019/10/19/freepbx-xss-1/
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.