CVE-2018-15891

low-risk
Published 2019-06-20

An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.

Do I need to act?

-
0.35% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / LOW complexity

Affected Products (3)

Freepbx

Affected Vendors

Freepbx Sangoma

References (4)

Vendor Advisory https://wiki.freepbx.org/display/FOP/2018-09-11+Core+Stored+XSS?src=contextnavpa...
Product https://www.freepbx.org/
Vendor Advisory https://wiki.freepbx.org/display/FOP/2018-09-11+Core+Stored+XSS?src=contextnavpa...
Product https://www.freepbx.org/
29
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 9/34 · Low