Stored Cross-Site Scripting in FreePBX Contact Manager Module
CVE-2025-55209

5.1MEDIUM

Key Information:

Vendor: Freepbx
Status: Security-reporting
Vendor: CVE Published:; 4 September 2025

What is CVE-2025-55209?

The Contact Manager module of FreePBX presents a stored cross-site scripting vulnerability that affects versions 15.0.14 and below, as well as versions 16.0.0 through 16.0.26.4 and 17.0.0 through 17.0.5. This flaw enables a low-privileged User Control Panel (UCP) user to inject harmful JavaScript into the system. Once executed, this malicious code runs in the context of an administrator, which poses severe risks such as session hijacking and the potential for users to escalate their privileges. Addressing this vulnerability is crucial, and it has been resolved in the updated versions: 15.0.14, 16.0.27, and 17.0.6.

Affected Version(s)

security-reporting < 15.0.14 < 15.0.14

security-reporting >= 16.0.0, < 16.0.27 < 16.0.0, 16.0.27

security-reporting >= 17.0.0, < 17.0.6 < 17.0.0, 17.0.6

References

https://github.com/FreePBX/security-reporting/security/ad...

x_refsource_CONFIRM

https://github.com/FreePBX/contactmanager/commit/55abba0f...

x_refsource_MISC

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 4, 2025
Vulnerability Reserved
Aug 8, 2025

Freepbx

What is CVE-2025-55209?

Affected Version(s)

References

CVSS V4

Timeline