CVE-2019-19552

{"id": "CVE-2019-19552", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2019-12-06T16:15:11.107", "references": [{"url": "https://wiki.freepbx.org/display/FOP/2019-12-03+Multiple+XSS+Vulnerabilities", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user (such as an admin) visits the main User Management screen, the XSS payload will render and execute in the context of the victim user's account."}, {"lang": "es", "value": "En userman versiones 13.0.76.43 hasta 15.0.20 en Sangoma FreePBX, se presenta una vulnerabilidad de tipo XSS en la pantalla de administraci\u00f3n de usuarios del sitio web del Administrador, es decir, el URI /admin/config.php?display=userman. Un atacante con privilegios suficientes puede editar el Display Name de un usuario e insertar c\u00f3digo XSS malicioso. Cuando otro usuario (como un administrador) visita la pantalla User Management principal, la carga XSS ser\u00e1 renderizada y ejecutada en el contexto de la cuenta del usuario v\u00edctima."}], "lastModified": "2019-12-10T18:46:40.413", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59469524-BCC0-4BBE-BB19-2B0D8ADC233C", "versionEndIncluding": "13.0.76.43", "versionStartIncluding": "13.0"}, {"criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63535AD2-3440-4734-A0A7-E27031192C01", "versionEndIncluding": "14.0.7", "versionStartIncluding": "14.0"}, {"criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEEE7AED-E091-4D51-B1CD-79AAD5E7F4A1", "versionEndIncluding": "15.0.20", "versionStartIncluding": "15.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}