J0Eblow

**Name of the Vulnerable Software and Affected Versions** FreePBX contactmanager module versions 15.0.14 and below FreePBX contactmanager module versions 16.0.0 through 16.0.26 FreePBX contactmanager module versions 17.0.0 through 17.0.5 **Description** FreePBX contactmanager module contains a stored cross-site scripting (XSS) vulnerability. A low-privileged User Control Panel (UCP) user can inject malicious JavaScript into the system. The malicious code executes in the context of an administrator when they interact with the affected component, potentially leading to session hijacking and privilege escalation. **Recommendations** FreePBX contactmanager module version 15.0.15 or later FreePBX contactmanager module version 16.0.27 or later FreePBX contactmanager module version 17.0.6 or later

**Name of the Vulnerable Software and Affected Versions** FreePBX versions prior to 15.0.13 FreePBX versions 16.0.2 through 16.0.14 FreePBX versions 17.0.1 and 17.0.2 **Description** The `api` module for FreePBX, an open-source GUI for Asterisk, is susceptible to an issue where a shared OAuth private key is used across multiple systems installed with the same FreePBX package. An attacker with access to this key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL `API Endpoints`. Systems with the "api" module enabled, configured, and previously activated by an administrator for remote inbound connections may be affected. **Recommendations** Update to FreePBX version 15.0.13 or later. Update to FreePBX version 16.0.15 or later. Update to FreePBX version 17.0.3 or later.