CVE-2019-19552

In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account.

Published: Dec 6, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-19552
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.8
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
sangoma / freepbx	15.0	15.0.20.x
sangoma / freepbx	14.0	14.0.7.x
sangoma / freepbx	13.0	13.0.76.43.x

https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities

Vulnerability Database

289,697

CVE-2019-19552