Description
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://issues.freepbx.org/browse/FREEPBX-20437
Patch, Third Party Advisory x_refsource_misc
https://github.com/FreePBX/contactmanager/commit/99e5aa0050224289cfe64c9036f38ce2531bf633
Patch, Vendor Advisory x_refsource_misc
https://resp3ctblog.wordpress.com/2019/10/19/freepbx-xss-1/
Scores
CVSS v3
6.1
EPSS
0.0033
EPSS Percentile
56.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (4)
freepbx/contactmanager
13.0.0 beta1 (5 CPE variants)
freepbx/contactmanager
14.0.1 (6 CPE variants)
freepbx/contactmanager
13.0.2 - 13.0.45.3
sangoma/freepbx
14.0.10.3
Published
Oct 21, 2019
Tracked Since
Feb 18, 2026