CVSS: 6.1EPSS: 0%CPEs: 15EXPL: 0CVE-2019-16966
https://notcve.org/view.php?id=CVE-2019-16966
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager. Se detectó un problema en Contactmanager versiones 13.x anteriores a 13.0.45.3, versiones 14.x anteriores a 14.0.5.12 y versiones 15.x anteriores a 15.0.8.21 para FreePBX versión 14.0.10.3. • https://github.com/FreePBX/contactmanager/commit/99e5aa0050224289cfe64c9036f38ce2531bf633 https://issues.freepbx.org/browse/FREEPBX-20437 https://resp3ctblog.wordpress.com/2019/10/19/freepbx-xss-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-15891
https://notcve.org/view.php?id=CVE-2018-15891
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name. Se detecto un problema en el núcleo de FreePBX antes de la versión 3.0.122.43, 14.0.18.34 y 5.0.1beta4. Al crear una solicitud para agregar módulos de Asterisk, un atacante puede almacenar comandos de JavaScript en el nombre de un módulo. • https://wiki.freepbx.org/display/FOP/2018-09-11+Core+Stored+XSS?src=contextnavpagetreemode https://www.freepbx.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 2CVE-2018-6393
https://notcve.org/view.php?id=CVE-2018-6393
FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the vendor disputes this issue because it is intentional that a user can "directly modify SQL tables ... [or] run shell scripts ... once ... logged in to the administration interface; there is no need to try to find input validation errors. ** EN DISPUTA ** FreePBX 10.13.66-32bit y 14.0.1.24 (SNG7-PBX-64bit-1712-2) permite inyección SQL de posautenticación mediante el parámetro order. NOTA: el vendedor discute este problema porque es intencional que un usuario pueda "modificar directamente las tablas SQL...". [o] ejecutar scripts shell .... una vez .... conectados a la interfaz de administración; no hay necesidad de intentar encontrar errores de validación de entrada". • http://code610.blogspot.com/2018/01/post-auth-sql-injection-in-freepbx.html http://www.securityfocus.com/bid/102854 https://github.com/c610/tmp/blob/master/sqlipoc-freepbx-14.0.1.24-req.txt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •