What is CVE-2019-16967?

CVE-2019-16967 is a vulnerability in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 in FreePBX 14.0.10.3 that allows for cross-site scripting (XSS) attacks.

How severe is CVE-2019-16967?

CVE-2019-16967 has a severity rating of 6.1, which is considered medium.

What software is affected by CVE-2019-16967?

Freepbx Manager versions 13.x before 13.0.2.6, 15.x before 15.0.6, and 13.0.1-alpha1, as well as Sangoma FreePBX up to version 14.0.10.3, are affected by CVE-2019-16967.

How can I fix CVE-2019-16967?

Upgrade to Manager 13.0.2.6 or later for version 13.x, upgrade to Manager 15.0.6 or later for version 15.x, upgrade to Manager 13.0.2 or later for version 13.0.1-alpha1, or upgrade to a version of Sangoma FreePBX later than 14.0.10.3.

Can CVE-2019-16967 be exploited remotely?

Yes, CVE-2019-16967 can be exploited remotely.

Vulnerability/
CVE-2019-16967

medium

6.1

CWE

21/10/2019

5/8/2024

CVE-2019-16967: XSS

First published: Mon Oct 21 2019(Updated: )

An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Freepbx Manager	>=13.0.2<13.0.2.6
Freepbx Manager	>=15.0.2<15.0.6
Freepbx Manager	=13.0.1-alpha1
Sangoma FreePBX	<14.0.10.3

Remedy

https://github.com/FreePBX/manager/commit/071a50983ca6a373bb2d1d3db68e9eda4667a372

Remedy

https://resp3ctblog.wordpress.com/2019/10/19/freepbx-xss-2/

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2019-16967?
CVE-2019-16967 is a vulnerability in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 in FreePBX 14.0.10.3 that allows for cross-site scripting (XSS) attacks.
How severe is CVE-2019-16967?
CVE-2019-16967 has a severity rating of 6.1, which is considered medium.
What software is affected by CVE-2019-16967?
Freepbx Manager versions 13.x before 13.0.2.6, 15.x before 15.0.6, and 13.0.1-alpha1, as well as Sangoma FreePBX up to version 14.0.10.3, are affected by CVE-2019-16967.
How can I fix CVE-2019-16967?
Upgrade to Manager 13.0.2.6 or later for version 13.x, upgrade to Manager 15.0.6 or later for version 15.x, upgrade to Manager 13.0.2 or later for version 13.0.1-alpha1, or upgrade to a version of Sangoma FreePBX later than 14.0.10.3.
Can CVE-2019-16967 be exploited remotely?
Yes, CVE-2019-16967 can be exploited remotely.

collector/nvd-index
agent/weakness
agent/references
agent/author
agent/event
agent/type
agent/description
agent/severity
agent/softwarecombine
agent/remedy
agent/last-modified-date
agent/first-publish-date
agent/tags
collector/mitre-cve
source/MITRE
vendor/freepbx
canonical/freepbx manager
version/freepbx manager/13.0.2
version/freepbx manager/15.0.2
version/freepbx manager/13.0.1-alpha1
vendor/sangoma
canonical/sangoma freepbx

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.