An issue exists in Manager 13.x prior to 13.0.2.6 and 15.x prior to 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
freepbx manager |
||
sangoma freepbx |
||
freepbx manager 13.0.1 |