Cross-Site Scripting Vulnerability in Sangoma FreePBX User Management
CVE-2019-19552

4.8MEDIUM

Key Information:

Vendor: Sangoma
Status: Freepbx
Vendor: CVE Published:; 6 December 2019

What is CVE-2019-19552?

The FreePBX product from Sangoma features a vulnerability within the user management interface. Specifically, this flaw allows an authorized attacker to manipulate the Display Name of a user to inject a malicious XSS payload. This occurs through the administrator's web interface at the /admin/config.php?display=userman URI. When a different user, including administrators, accesses the User Management screen, the injected payload is executed within the context of their session, potentially leading to unauthorized actions or data exposure.

References

https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2019
Vulnerability Reserved
Dec 4, 2019

CVE-2019-19552 Data

JSON