Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SEC-2020-001

CVE ID: CVE-2019-19852

Overview:

A XSS Injection vulnerability exists in FreePBX/PBXact 13, 14, and 15 within the  ‘Call Event Logging’ module.

...

AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:H/MUI:R/MS:U/MC:N/MI:L/MA:N

Vulnerable software and versions:

The versions listed below (or less than)

...

  • >= Cel v13.0.26.10

  • >= Cel v14.0.2.15

  • >= Cel v15.0.15.5

Related Information

Official Bug ticket:https://issues.freepbx.org/browse/FREEPBX-20556

Further Details:

A XSS vulnerability exists on the Call Event Logging report screen in the ‘cel’ module. Eg. /admin/config.php?display=cel. An attacker can inject javascript code through the date fields.

...