CVE ID: CVE-2019-19852
A XSS Injection vulnerability exists in FreePBX/PBXact 13, 14, and 15 within the ‘Call Event Logging’ module.
CVSS v3.1 Details:
CVSS Base Score:2.0
CVSS Temporal Score:1.8
CVSS Environmental Score:1.6
Modified Impact Subscore:0.7
Overall CVSS Score:1.6
Vulnerable software and versions:
The versions listed below (or less than)
<= Cel v126.96.36.199
<= Cel v188.8.131.52
<= Cel v184.108.40.206
The following versions of fixes:
>= Cel v220.127.116.11
>= Cel v18.104.22.168
>= Cel v22.214.171.124
Official Bug ticket: https://issues.freepbx.org/browse/FREEPBX-20556
The Sangoma and FreePBX team has deemed this a major security issue. We strongly encourage all users of FreePBX versions 13, 14, and 15 to upgrade to the latest version of the cel module. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see http://wiki.freepbx.org/display/FPG/Module+Admin+User+Guide.
Sangoma takes security seriously and requests that any future FreePBX security issue be reported at firstname.lastname@example.org.