Filtered by vendor Freepbx
Subscribe
Search
Total
4 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-15891 | 2 Freepbx, Sangoma | 2 Freepbx, Freepbx | 2019-12-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name. | |||||
| CVE-2019-16966 | 2 Freepbx, Sangoma | 2 Contactmanager, Freepbx | 2019-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager. | |||||
| CVE-2019-16967 | 2 Freepbx, Sangoma | 2 Manager, Freepbx | 2019-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager. | |||||
| CVE-2018-15892 | 1 Freepbx | 1 Disa | 2019-06-24 | 6.0 MEDIUM | 4.3 MEDIUM |
| FreePBX 13 and 14 has SQL Injection in the DISA module via the hangup variable on the /admin/config.php?display=disa&view=form page. | |||||