Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

SEC-2019-003

CVE IDs: CVE-2019-19551, CVE-2019-19552

Overview:

Multiple XSS Vulnerabilities have been discovered in the ‘User Management’ module for FreePBX 13, FreePBX 14, and FreePBX 15.

Discovered By:
Dustin Cobb
Aon’s Cyber Labs
cyberlabs@aon.com

Impact:

  • CVSS v3.1 Details:

  • CVSS Base Score: 2.0

  • Impact Subscore: 1.4

  • Exploitability Subscore: 0.5

  • CVSS Temporal Score: 1.8

  • CVSS Environmental Score: 1.6

  • Modified Impact Subscore: 0.7

  • Overall CVSS Score: 1.6

AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:H/MUI:R/MS:U/MC:N/MI:L/MA:N

Vulnerable software and versions:

The versions listed below (or less than)

  • < userman v13.0.76.43

  • < userman v14.0.7

  • < userman v15.0.20

The following versions of fixes:

  • >= userman v13.0.76.44

  • >= userman v14.0.8

  • >= userman v15.0.21

Related Information:

Official Bug ticket: https://issues.freepbx.org/browse/FREEPBX-20821

Further Details:

A XSS vulnerability exists in the user management screen of the FreePBX Administrator web site. Eg. /admin/config.php?display=userman. An attacker with sufficient privileges can edit the “Display Name” of a user and embed malicious XSS code.  When another user (such as an admin) visits the main “User Management” screen, the XSS payload will render and execute in the context of the victim user’s account.

A second stored XSS vulnerability exists in the User Management screen of the FreePBX Administrator web site.  An attacker with access to the “User Control Panel” application can submit malicious values in some of the time/date formatting and time zone fields.  These fields are not being properly sanitized. If this is done and a user (such as an admin) visits the User Management screen and views that user’s profile, the XSS payload will render and execute in the context of the victim user’s account.

The Sangoma and FreePBX team has deemed this a major security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest version of the userman module. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see http://wiki.freepbx.org/display/FPG/Module+Admin+User+Guide .

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

  • No labels