2018-09-11 Core Stored XSS

Owned by Nathaniel Halbrooks
Last updated: Jan 31, 2024
1 min read

SEC-2018-003

Overview:

A stored XSS Injection vulnerability exists in FreePBX 13, 14 and 15 in the Core module listed under "Vulnerable software and versions" section

Discovered By:

DcLabs Security Research Group

Ewerson Guimarães (Crash) - Dclabs <crash(at)dclabs(dot)com(dot)br>

Impact:

CVSS 3 Details:

  • CVSS Base Score: 3.9

  • Impact Subscore: 3.4

  • Exploitability Subscore: 0.5

  • CVSS Temporal Score: 3.5

  • CVSS Environmental Score: 2.6

  • Modified Impact Subscore: 1.9

  • Overall CVSS Score: 2.6

AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:H/MUI:R/MS:U/MC:L/MI:L/MA:L

Vulnerable software and versions:

The versions listed below (or less than)

  • < core v13.0.122.43

  • < core v14.0.18.34

  • < core v15.0.1beta4

The following versions of fixes:

  • >= core v13.0.122.43

  • >= core v14.0.18.34

  • >= core v15.0.1beta4

Related Information

Official Bug ticket:  FREEPBX-18161 - Multiple XSS/SQL Vulnerabilities CLOSED

Further Details:

The vulnerability results in arbitrary javascript execution if a user clicks an external malicious link while being logged in as an administrator

The user has to be previously authenticated as a FreePBX administrator and be tricked into clicking an external link that would generate the javascript XSS

The Sangoma and FreePBX team has deemed this a minor security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest core version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

Return to Documentation Home I Return to Sangoma Support