CVE-2019-16967

Published Oct 21, 2019

Last updated 5 years ago

CVSS medium 6.1

Overview

Description: An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.1
Impact score: 2.7
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 4.3
Impact score: 2.9
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:N/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:freepbx:manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2ED37131-8990-48EF-A4B1-7B612DB29C5C",
            "versionEndExcluding": "13.0.2.6",
            "versionStartIncluding": "13.0.2"
          },
          {
            "criteria": "cpe:2.3:a:freepbx:manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7B589D89-2766-4650-A731-C8664ABADAC0",
            "versionEndExcluding": "15.0.6",
            "versionStartIncluding": "15.0.2"
          },
          {
            "criteria": "cpe:2.3:a:freepbx:manager:13.0.1:alpha1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "18119454-234A-476B-9145-883E13727510"
          },
          {
            "criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0451B14C-368A-4C87-A92F-609067382EA8",
            "versionEndExcluding": "14.0.10.3"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References