| CVE-2023-43336 |
|
High |
Nov 02, 2023 |
Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a modified paramet
more...
Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a modified parameter value, e.g., changing extension=self to extension=101.
less...
|
13.0, 14.0.10.3, 2.3.1, 1.10.010, 1.10.006, 1.10.005, 1.10.004, 1.10.003, 1.10.002
|
| CVE-2019-25090 |
|
Medium |
Dec 27, 2022 |
A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic. Affected by this issue is some unknown functionality of t
more...
A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic. Affected by this issue is some unknown functionality of the component Views Handler. The manipulation of the argument dataurl leads to cross site scripting. The attack may be launched remotely. Upgrading to version 13.0.5.4 is able to address this issue. The name of the patch is 199dea7cc7020d3c469a86a39fbd80f5edd3c5ab. It is recommended to upgrade the affected component. VDB-216878 is the identifier assigned to this vulnerability.
less...
|
13.0, 2.3.1, 1.10.010, 1.10.006, 1.10.005, 1.10.004, 1.10.003, 1.10.002
|
| CVE-2019-19852 |
|
Medium |
Mar 16, 2020 |
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the
more...
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. This affects cel through 13.0.26.9, 14.x through 14.0.2.14, and 15.x through 15.0.15.4.
less...
|
13.0
|
| CVE-2019-19851 |
|
Medium |
Mar 16, 2020 |
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/con
more...
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through 13.0.4.7, 14.x through 14.0.24, and 15.x through 15.0.2.20.
less...
|
13.0, 14.0.10.3, 2.3.1, 1.10.010, 1.10.006, 1.10.005, 1.10.004, 1.10.003, 1.10.002
|
| CVE-2019-19552 |
|
Medium |
Dec 06, 2019 |
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/confi
more...
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account.
less...
|
13.0, 15.0.16.42
|
| CVE-2019-19551 |
|
Medium |
Dec 06, 2019 |
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with acce
more...
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not being properly sanitized. If this is done and a user (such as an admin) visits the User Management screen and views that user's profile, the XSS payload will render and execute in the context of the victim user's account.
less...
|
13.0, 15.0.16.42
|
| CVE-2019-19538 |
|
High |
Mar 16, 2020 |
In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that r
more...
In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation.
less...
|
13.0, 14.0.10.3, 2.3.1, 1.10.010, 1.10.006, 1.10.005, 1.10.004, 1.10.003, 1.10.002
|
| CVE-2019-16967 |
|
Medium |
Oct 21, 2019 |
An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules
more...
An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.
less...
|
13.0, 2.3.1, 1.10.010, 1.10.006, 1.10.005, 1.10.004, 1.10.003, 1.10.002
|
| CVE-2018-15891 |
|
Medium |
Jun 20, 2019 |
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker i
more...
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.
less...
|
13.0, 14.0.10.3, 2.3.1, 1.10.010, 1.10.006, 1.10.005, 1.10.004, 1.10.003, 1.10.002
|
