J0Eblow
·
Published
2025-09-04
·
Updated
2025-09-05
·
CVE-2025-55209
5.1
Medium
| Base vector | Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
FreePBX contactmanager module versions 15.0.14 and below
FreePBX contactmanager module versions 16.0.0 through 16.0.26
FreePBX contactmanager module versions 17.0.0 through 17.0.5
Description:
FreePBX contactmanager module contains a stored cross-site scripting (XSS) vulnerability. A low-privileged User Control Panel (UCP) user can inject malicious JavaScript into the system. The malicious code executes in the context of an administrator when they interact with the affected component, potentially leading to session hijacking and privilege escalation.
Recommendations:
FreePBX contactmanager module version 15.0.15 or later
FreePBX contactmanager module version 16.0.27 or later
FreePBX contactmanager module version 17.0.6 or later
Fix
LPE
XSS