2016-07-18 Multiple XSS

SEC-2016-002

Overview:

Multiple XSS Vulnerabilities have been discovered in several modules. Requires User Control Panel login, accompanied by Administrative Login into FreePBX Admin GUI

Discovered By:

Douglas Goddard <douglas(dot)gastonguay(at)gmail(dot)com>

Impact:

CVSS 3 Details:

  • Base Score: 2.0

  • Temporal Score: 1.6

  • Environmental Score: 1.1

CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:U/CR:L/IR:X/AR:X/MAV:N/MAC:H/MPR:H/MUI:R/MS:U/MC:L/MI:N/MA:N

Vulnerable software and versions:

The versions listed below (or less than)

  • < ucp v13.0.36

  • < ucp v12.0.24

  • < framework v13.0.162

  • < framework v12.0.76.3

Note that FreePBX 2.11 and earlier are not affected. The following versions of fixes:

  • >= ucp v13.0.37

  • >= ucp v12.0.25

  • >= framework v13.0.163

  • >= framework v12.0.76.4

Related Information

-N/A

Further Details:

This XSS originates in the settings area of the user control panel. eg. /ucp/?display=settings. The regular user can set their display name to a arbitrary  HTML (a script). In order to execute this on the administrator requires user interaction on their part. This could be done through phishing or simply a user reporting a problem on their account. If the admin visits the menu Admin > User Management (/admin/config.php display=userman) this code will be included in the User List on the right hand side of the page and executed.

Sangoma strongly encourages all users of FreePBX 13 and 12 to upgrade to the latest framework and ucp version. This can be done from the Module Admin GUI or the CLI. For more information on using Module Admin, please see Module Admin Module User Guide .

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

Return to Documentation Home I Return to Sangoma Support