CVE-2019-19552
https://notcve.org/view.php?id=CVE-2019-19552
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account. En userman versiones 13.0.76.43 hasta 15.0.20 en Sangoma FreePBX, se presenta una vulnerabilidad de tipo XSS en la pantalla de administración de usuarios del sitio web del Administrador, es decir, el URI /admin/config.php? • https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-19006
https://notcve.org/view.php?id=CVE-2019-19006
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. Sangoma FreePBX versión 115.0.16.26 y anteriores, versión 14.0.13.11 y anteriores, versión 13.0.197.13 y anteriores, presenta un Control de Acceso Incorrecto. • https://community.freepbx.org/t/freepbx-security-vulnerability-sec-2019-001/62772 https://pastebin.com/2CdsQMKW https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass https://www.freepbx.org/category/blog • CWE-287: Improper Authentication •
CVE-2018-15891
https://notcve.org/view.php?id=CVE-2018-15891
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name. Se detecto un problema en el núcleo de FreePBX antes de la versión 3.0.122.43, 14.0.18.34 y 5.0.1beta4. Al crear una solicitud para agregar módulos de Asterisk, un atacante puede almacenar comandos de JavaScript en el nombre de un módulo. • https://wiki.freepbx.org/display/FOP/2018-09-11+Core+Stored+XSS?src=contextnavpagetreemode https://www.freepbx.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •