2021-09-15 XSS Injection vulnerability in Voicemail Module

SEC- 2021-009
CVE Name : CVE-2021-41058.
Overview
- A Stored XSS exists in FreePBX 16,15,14 and 13 in Voicemail Admin Module
Discovered By : Konstantin Gimpel <konstantin.gimpel@gmail.com>

Impact :

CVSS Base Score: 2.4

Impact Subscore: 1.4

Exploitability Subscore: 0.9

CVSS Temporal Score: 2.2

CVSS Environmental Score: 2.3

Modified Impact Subscore: 0.6

Overall CVSS Score: 2.3

AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:H/MUI:R/MS:C/MC:N/MI:L/MA:N

Vulnerable software and versions
- FreePBX13 - module: Voicemail, affected version: <= 13.0.59.6. fix version: 13.0.59.7
- FreePBX14 - module: Voicemail, affected version: <= 14.0.6.24. fix version: 14.0.6.25
- FreePBX15 - module: Voicemail, affected version: <= 15.0.18.38 fix version: 15.0.18.39
- FreePBX16 - module: Voicemail, affected version: <= 16.0.20. fixed version: 16.0.21

Related Information
- Official Bug ticket : https://issues.freepbx.org/browse/FREEI-2107
Further Details
Voicemail Admin Module

This issue is similar to Issue FREEI-2107. This occurs when a Malicious script is injected directly into a vulnerable web application. So, for this too we have added the htmlentities() function for input fields.

The Sangoma and FreePBX team has deemed this a minor security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest fixed modules version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@freepbx.org.

FreePBX Open Source

2021-09-15 XSS Injection vulnerability in Voicemail Module

Return to Documentation Home I Return to Sangoma Support