CVE-2019-16966

moderate-risk
Published 2019-10-21

An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager.

Do I need to act?

-
0.33% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (13)

Contactmanager
Contactmanager
Contactmanager
Contactmanager
Contactmanager
Contactmanager
Contactmanager
Contactmanager
Contactmanager
Contactmanager
Contactmanager
Contactmanager

Affected Vendors

Freepbx Sangoma

References (6)

Patch https://github.com/FreePBX/contactmanager/commit/99e5aa0050224289cfe64c9036f38ce...
Vendor Advisory https://issues.freepbx.org/browse/FREEPBX-20437
Patch https://resp3ctblog.wordpress.com/2019/10/19/freepbx-xss-1/
Patch https://github.com/FreePBX/contactmanager/commit/99e5aa0050224289cfe64c9036f38ce...
Vendor Advisory https://issues.freepbx.org/browse/FREEPBX-20437
Patch https://resp3ctblog.wordpress.com/2019/10/19/freepbx-xss-1/
41
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 1/34 · Minimal
Exposure 17/34 · Moderate