XSS Injection Vulnerability in Sangoma FreePBX and PBXact Products
CVE-2019-19851

4.8MEDIUM

Key Information:

Vendor: Sangoma
Status: Freepbx
Vendor: CVE Published:; 16 March 2020

What is CVE-2019-19851?

An XSS Injection vulnerability in Sangoma FreePBX and PBXact impacts the Debug/Test page of the Superfecta module. This issue is present in the admin/config.php?display=superfecta URI and can allow attackers to execute malicious scripts within a user’s browser session. The vulnerability affects FreePBX versions up to 13.0.4.7, 14.x versions until 14.0.24, and 15.x until 15.0.2.20, potentially leading to user information compromise and unauthorized actions.

References

https://wiki.freepbx.org/display/FOP/List+of+Securities+V...

x_refsource_MISC

https://wiki.freepbx.org/display/FOP/2020-01-09+XSS+Injec...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 16, 2020
Vulnerability Reserved
Dec 17, 2019

CVE-2019-19851 Data

JSON