CVE-2019-19551

Name of the Vulnerable Software and Affected Versions Sangoma FreePBX userman versions 13.0.76.43 through 15.0.20

Description A security issue exists in the User Management screen of the Administrator web site, where an attacker with access to the User Control Panel application can submit malicious values in time/date formatting and time-zone fields. These fields are not properly sanitized, allowing for malicious code execution when a user, such as an admin, views the affected user's profile.

Recommendations For Sangoma FreePBX userman versions 13.0.76.43 through 15.0.20, consider restricting access to the User Management screen until a proper fix is applied, and ensure that all input fields, especially time/date formatting and time-zone fields, are properly sanitized to prevent malicious code execution.