CVE-2018-15891

CVE Database · CVE-2018-15891

CVE-2018-15891

· N/AModified

CVSS v3.1

N/A

EPSS

0.56%

Published

Jun 20, 2019

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.

Weaknesses (CWE)

CWE-79

Affected Products (5)

freepbx · freepbxvulnerable

sangoma · freepbx (up to 13.0.122.43)vulnerable

sangoma · freepbx (up to 14.0.18.34)vulnerable

sangoma · freepbxvulnerable

References (4)

https://wiki.freepbx.org/display/FOP/2018-09-11+Core+Stored+XSS?src=contextnavpagetreemode

Vendor Advisory

https://www.freepbx.org/

Product

https://wiki.freepbx.org/display/FOP/2018-09-11+Core+Stored+XSS?src=contextnavpagetreemode

Vendor Advisory

https://www.freepbx.org/

Product

KEV Catalog EPSS Scores Vendors All CVEs