Vulnerabilities

CVE-2019-16967

by Fred · 21/10/2019

An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (htmladminmodulesmanagerviewsform.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.

Date published : 2019-10-21

https://github.com/FreePBX/manager/commit/071a50983ca6a373bb2d1d3db68e9eda4667a372

https://issues.freepbx.org/browse/FREEPBX-20436

Similar

Tags: Cybersecurity Alert