Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-16966

An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager.

Published

2019-10-21T19:15:11.030

Last Modified

2024-11-21T04:31:26.170

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: NONE
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

8.6

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-79
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application freepbx contactmanager < 13.0.45.3 Yes
Application freepbx contactmanager < 14.0.5.12 Yes
Application freepbx contactmanager < 15.0.8.21 Yes
Application freepbx contactmanager 13.0.0 Yes
Application freepbx contactmanager 13.0.0 Yes
Application freepbx contactmanager 13.0.0 Yes
Application freepbx contactmanager 13.0.0 Yes
Application freepbx contactmanager 13.0.0 Yes
Application freepbx contactmanager 14.0.1 Yes
Application freepbx contactmanager 14.0.1 Yes
Application freepbx contactmanager 14.0.1 Yes
Application freepbx contactmanager 14.0.1 Yes
Application freepbx contactmanager 14.0.1 Yes
Application freepbx contactmanager 14.0.1 Yes
Application sangoma freepbx 14.0.10.3 Yes
References