Multiple XSS Vulnerabilities in Backup & Restore Module of FreePBX
CVE-2019-19615

4.8MEDIUM

Key Information:

Vendor: Sangoma
Status: Freepbx
Vendor: CVE Published:; 16 March 2020

What is CVE-2019-19615?

Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in the Backup & Restore module of FreePBX (versions 14.0.10.2 to 14.0.10.7). Attackers can exploit these vulnerabilities by manipulating the 'id' parameter in the backup configuration interface. This allows them to inject malicious XSS payloads within links that execute in the context of users who click on them, potentially compromising administrative accounts and leading to unauthorized actions within the FreePBX system.

References

https://wiki.freepbx.org/display/FOP/List+of+Securities+V...

x_refsource_MISC

https://wiki.freepbx.org/pages/viewpage.action?pageId=175...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 16, 2020
Vulnerability Reserved
Dec 6, 2019

CVE-2019-19615 Data

JSON

Sangoma

What is CVE-2019-19615?

References

CVSS V3.1

Timeline