CVE-2019-19615

Name of the Vulnerable Software and Affected Versions FreePBX versions 14.0.10.2 through 14.0.10.7

Description Multiple XSS vulnerabilities exist in the Backup & Restore module for FreePBX. An attacker can modify the id parameter of the backup configuration screen and embed malicious XSS code via a link, which will render and execute in the context of the victim user's account when clicked by another user, such as an admin. The vulnerable endpoint is "/admin/config.php?display=backup" on the FreePBX Administrator web site.

Recommendations For versions 14.0.10.2 through 14.0.10.7, consider disabling access to the Backup & Restore module until a patch is available. Restrict access to the /admin/config.php?display=backup endpoint to minimize the risk of exploitation. Avoid using the id parameter in the backup configuration screen until the issue is resolved.