CVE-2019-16967

medium

Description

An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.

References

Advisories
More

https://resp3ctblog.wordpress.com/2019/10/19/freepbx-xss-2/

https://github.com/FreePBX/manager/commit/071a50983ca6a373bb2d1d3db68e9eda4667a372

https://issues.freepbx.org/browse/FREEPBX-20436

Details

Source: Mitre, NVD

Published: 2019-10-21

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00397