Cross-Site Scripting in Sangoma FreePBX User Management
CVE-2019-19551

4.8MEDIUM

Key Information:

Vendor: Sangoma
Status: Freepbx
Vendor: CVE Published:; 6 December 2019

What is CVE-2019-19551?

In Sangoma FreePBX versions 13.0.76.43 through 15.0.20, a security flaw exists in the User Management screen where inadequate sanitization of user inputs allows an attacker to inject malicious scripts. An attacker having access to the User Control Panel can exploit this vulnerability by entering harmful data into specific time/date formatting and time-zone fields. When an administrator or authorized user accesses the affected User Management screen to view profiles, the embedded malicious script executes in the context of the victim user's account, potentially compromising their security and data integrity.

References

https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2019
Vulnerability Reserved
Dec 4, 2019

CVE-2019-19551 Data

JSON