PT-2025-36096 · Freepbx · Freepbx Contactmanager Module
J0Eblow
·
Published
2025-09-04
·
Updated
2025-09-05
·
CVE-2025-55209
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L |
Name of the Vulnerable Software and Affected Versions
FreePBX contactmanager module versions 15.0.14 and below
FreePBX contactmanager module versions 16.0.0 through 16.0.26
FreePBX contactmanager module versions 17.0.0 through 17.0.5
Description
FreePBX contactmanager module contains a stored cross-site scripting (XSS) vulnerability. A low-privileged User Control Panel (UCP) user can inject malicious JavaScript into the system. The malicious code executes in the context of an administrator when they interact with the affected component, potentially leading to session hijacking and privilege escalation.
Recommendations
FreePBX contactmanager module version 15.0.15 or later
FreePBX contactmanager module version 16.0.27 or later
FreePBX contactmanager module version 17.0.6 or later
Exploit
Fix
LPE
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Freepbx Contactmanager Module