2020-01-09 XSS Injection vulnerability in Call Event Logging module

Owned by Nathaniel Halbrooks
Last updated: Jan 31, 2024
1 min read

SEC-2020-001

CVE ID: CVE-2019-19852

Overview:

A XSS Injection vulnerability exists in FreePBX/PBXact 13, 14, and 15 within the  ‘Call Event Logging’ module.

 

Discovered By:

Pierre Jourdan

Impact:

CVSS v3.1 Details:

  • CVSS Base Score:2.0

  • Impact Subscore:1.4

  • Exploitability Subscore:0.5

  • CVSS Temporal Score:1.8

  • CVSS Environmental Score:1.6

  • Modified Impact Subscore:0.7

  • Overall CVSS Score:1.6

AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:H/MUI:R/MS:U/MC:N/MI:L/MA:N

Vulnerable software and versions:

The versions listed below (or less than)

  • <= Cel v13.0.26.9

  • <= Cel v14.0.2.14

  • <= Cel v15.0.15.4

The following versions of fixes:

  • >= Cel v13.0.26.10

  • >= Cel v14.0.2.15

  • >= Cel v15.0.15.5

Related Information

Official Bug ticket: https://issues.freepbx.org/browse/FREEPBX-20556

Further Details:

A XSS vulnerability exists on the Call Event Logging report screen in the ‘cel’ module. Eg. /admin/config.php?display=cel. An attacker can inject javascript code through the date fields.

The Sangoma and FreePBX team has deemed this a major security issue. We strongly encourage all users of FreePBX versions 13, 14, and 15 to upgrade to the latest version of the cel module. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@freepbx.org.

Return to Documentation Home I Return to Sangoma Support