Page 2 of 13 results (0.009 seconds)

CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0

An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through 13.0.4.7, 14.x through 14.0.24, and 15.x through 15.0.2.20. Se presenta una vulnerabilidad de Inyección de XSS en Sangoma FreePBX y PBXact versiones 13, 14 y 15, dentro de la página Debug/Test del módulo Superfecta en el URI admin/config.php?display=superfecta. • https://wiki.freepbx.org/display/FOP/2020-01-09+XSS+Injection+vulnerability+in+Superfecta+Module https://wiki.freepbx.org/display/FOP/List+of+Securities+Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0

In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not being properly sanitized. If this is done and a user (such as an admin) visits the User Management screen and views that user's profile, the XSS payload will render and execute in the context of the victim user's account. En userman versiones 13.0.76.43 hasta 15.0.20 en Sangoma FreePBX, se presenta una vulnerabilidad de tipo XSS en la pantalla User Management del sitio web del Administrador. • https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0

In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account. En userman versiones 13.0.76.43 hasta 15.0.20 en Sangoma FreePBX, se presenta una vulnerabilidad de tipo XSS en la pantalla de administración de usuarios del sitio web del Administrador, es decir, el URI /admin/config.php? • https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 65%CPEs: 3EXPL: 0

Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. Sangoma FreePBX versión 115.0.16.26 y anteriores, versión 14.0.13.11 y anteriores, versión 13.0.197.13 y anteriores, presenta un Control de Acceso Incorrecto. • https://community.freepbx.org/t/freepbx-security-vulnerability-sec-2019-001/62772 https://pastebin.com/2CdsQMKW https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass https://www.freepbx.org/category/blog • CWE-287: Improper Authentication •

CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1

An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager. Se detectó un problema en Manager versiones 13.x anteriores a 13.0.2.6 y versiones 15.x anteriores a 15.0.6 antes del FreePBX versión 14.0.10.3. • https://github.com/FreePBX/manager/commit/071a50983ca6a373bb2d1d3db68e9eda4667a372 https://issues.freepbx.org/browse/FREEPBX-20436 https://resp3ctblog.wordpress.com/2019/10/19/freepbx-xss-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •