CVE-2019-19552

Name of the Vulnerable Software and Affected Versions Sangoma FreePBX userman versions 13.0.76.43 through 15.0.20

Description The issue exists in the user management screen of the Administrator website, specifically at the /admin/config.php?display=userman API endpoint. An attacker with sufficient privileges can embed malicious code in the Display Name of a user. When another user, such as an admin, visits the main User Management screen, the malicious code will render and execute in the context of the victim user's account.

Recommendations For Sangoma FreePBX userman versions 13.0.76.43 through 15.0.20, consider restricting access to the user management screen until a fix is available. As a temporary workaround, avoid editing the Display Name of users to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.