In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account.
References
Link | Resource |
---|---|
https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities | Vendor Advisory |
https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 04:34
Type | Values Removed | Values Added |
---|---|---|
References | () https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities - Vendor Advisory |
Information
Published : 2019-12-06 16:15
Updated : 2024-11-21 04:34
NVD link : CVE-2019-19552
Mitre link : CVE-2019-19552
CVE.ORG link : CVE-2019-19552
JSON object : View
Products Affected
sangoma
- freepbx
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')