CVE IDs: CVE-2019-19551, CVE-2019-19552
Multiple XSS Vulnerabilities have been discovered in the ‘User Management’ module for FreePBX 13, FreePBX 14, and FreePBX 15.
Aon’s Cyber Labs
CVSS v3.1 Details:
CVSS Base Score: 2.0
Impact Subscore: 1.4
Exploitability Subscore: 0.5
CVSS Temporal Score: 1.8
CVSS Environmental Score: 1.6
Modified Impact Subscore: 0.7
Overall CVSS Score: 1.6
Vulnerable software and versions:
The versions listed below (or less than)
< userman v184.108.40.206
< userman v14.0.7
< userman v15.0.20
The following versions of fixes:
>= userman v220.127.116.11
>= userman v14.0.8
>= userman v15.0.21
Official Bug ticket: https://issues.freepbx.org/browse/FREEPBX-20821
A XSS vulnerability exists in the user management screen of the FreePBX Administrator web site. Eg. /admin/config.php?display=userman. An attacker with sufficient privileges can edit the “Display Name” of a user and embed malicious XSS code. When another user (such as an admin) visits the main “User Management” screen, the XSS payload will render and execute in the context of the victim user’s account.
A second stored XSS vulnerability exists in the User Management screen of the FreePBX Administrator web site. An attacker with access to the “User Control Panel” application can submit malicious values in some of the time/date formatting and time zone fields. These fields are not being properly sanitized. If this is done and a user (such as an admin) visits the User Management screen and views that user’s profile, the XSS payload will render and execute in the context of the victim user’s account.
The Sangoma and FreePBX team has deemed this a major security issue. We strongly encourage all users of FreePBX 13, 14 and 15 to upgrade to the latest version of the userman module. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see http://wiki.freepbx.org/display/FPG/Module+Admin+User+Guide.
Sangoma takes security seriously and request that any future FreePBX security issue be reported at firstname.lastname@example.org.