Vulnerability Details : CVE-2019-19552
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-19552
- cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
Threat overview for CVE-2019-19552
Top countries where our scanners detected CVE-2019-19552
Top open port discovered on systems with this issue
5060
IPs affected by CVE-2019-19552 1,656
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-19552!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-19552
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 21 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19552
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
4.8
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
1.7
|
2.7
|
NIST |
CWE ids for CVE-2019-19552
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-19552
-
https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities
2019-12-03 Multiple XSS Vulnerabilities - FreePBX OpenSource Project - DocumentationVendor Advisory
Jump to