2019-12-03 Multiple XSS Vulnerabilities

Owned by Nathaniel Halbrooks
Last updated: Jan 31, 2024
2 min read

SEC-2019-003

CVE IDs: CVE-2019-19551, CVE-2019-19552

Overview:

Multiple XSS Vulnerabilities have been discovered in the ‘User Management’ module for FreePBX 13, FreePBX 14, and FreePBX 15.

 

Discovered By:
Dustin Cobb
Aon’s Cyber Labs
cyberlabs@aon.com

 

Impact:

  • CVSS v3.1 Details:

  • CVSS Base Score: 2.0

  • Impact Subscore: 1.4

  • Exploitability Subscore: 0.5

  • CVSS Temporal Score: 1.8

  • CVSS Environmental Score: 1.6

  • Modified Impact Subscore: 0.7

  • Overall CVSS Score: 1.6

AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:H/MUI:R/MS:U/MC:N/MI:L/MA:N

Vulnerable software and versions:

The versions listed below (or less than)

  • < userman v13.0.76.43

  • < userman v14.0.7

  • < userman v15.0.20

The following versions of fixes:

  • >= userman v13.0.76.44

  • >= userman v14.0.8

  • >= userman v15.0.21

Related Information:

Official Bug ticket: https://issues.freepbx.org/browse/FREEPBX-20821

Further Details:

A XSS vulnerability exists in the user management screen of the FreePBX Administrator web site. Eg. /admin/config.php?display=userman. An attacker with sufficient privileges can edit the “Display Name” of a user and embed malicious XSS code.  When another user (such as an admin) visits the main “User Management” screen, the XSS payload will render and execute in the context of the victim user’s account.

A second stored XSS vulnerability exists in the User Management screen of the FreePBX Administrator web site.  An attacker with access to the “User Control Panel” application can submit malicious values in some of the time/date formatting and time zone fields.  These fields are not being properly sanitized. If this is done and a user (such as an admin) visits the User Management screen and views that user’s profile, the XSS payload will render and execute in the context of the victim user’s account.

The Sangoma and FreePBX team has deemed this a major security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest version of the userman module. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see Module Admin User Guide .

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

Return to Documentation Home I Return to Sangoma Support