PT-2020-10260 · Sangoma · Freepbx+1

Published

2020-03-16

Updated

2020-03-19

CVE-2019-19852

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Sangoma FreePBX and PBXact versions 13.0.0 through 13.0.26.9 Sangoma FreePBX and PBXact versions 14.0.0 through 14.0.2.14 Sangoma FreePBX and PBXact versions 15.0.0 through 15.0.15.4

Description An XSS Injection issue exists within the Call Event Logging report screen in the cel module at the "admin/config.php?display=cel" URI via date fields.

Recommendations For versions 13.0.0 through 13.0.26.9, update to a version later than 13.0.26.9. For versions 14.0.0 through 14.0.2.14, update to a version later than 14.0.2.14. For versions 15.0.0 through 15.0.15.4, update to a version later than 15.0.15.4. As a temporary workaround, consider restricting access to the vulnerable "cel" module until a patch is available.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-19852

Affected Products

Freepbx

Pbxact

PT-2020-10260 · Sangoma · Freepbx+1

CVE-2019-19852

Weakness Enumeration

Related Identifiers

Affected Products

References · 5