CVE-2019-19552

low-risk
Published 2019-12-06

In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account.

Do I need to act?

-
0.35% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Sangoma

References (2)

Vendor Advisory https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities
Vendor Advisory https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities
25
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal