Platform
php
Component
arimanager
Opgelost in
13.0.6
13.0.6
13.0.6
13.0.6
CVE-2019-25090 is a cross-site scripting (XSS) vulnerability affecting FreePBX ariManager versions 13.0.5.0 through 13.0.5.3. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The issue stems from improper handling of the dataurl argument within the Views Handler component. Upgrade to version 13.0.5.4 to mitigate this risk.
Successful exploitation of CVE-2019-25090 allows an attacker to inject arbitrary JavaScript code into the FreePBX ariManager interface. This can be leveraged to steal user session cookies, allowing the attacker to impersonate legitimate users. The attacker could also modify the content displayed to users, potentially leading to phishing attacks or defacement of the ariManager interface. Given ariManager’s role in managing FreePBX features, a compromised instance could provide an attacker with a foothold into the broader telephony system.
This vulnerability was publicly disclosed in December 2022. There is no indication of active exploitation campaigns targeting CVE-2019-25090 at this time. A public proof-of-concept is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit. It has been added to the CISA KEV catalog.
Organizations utilizing FreePBX with ariManager versions 13.0.5.0 through 13.0.5.3 are at risk. This includes businesses relying on FreePBX for their telephony infrastructure, particularly those with publicly accessible ariManager instances or those with limited security monitoring in place.
• php: Examine FreePBX logs for unusual activity or attempts to access the Views Handler component with suspicious dataurl parameters. Use grep to search for patterns resembling JavaScript code within log files.
grep -i 'script|alert' /var/log/freepbx/logs/*discovery
disclosure
kev
Exploit Status
EPSS
0.39% (60% percentiel)
CVSS-vector
The primary mitigation for CVE-2019-25090 is to upgrade FreePBX ariManager to version 13.0.5.4 or later, which includes the fix (patch identifier: 199dea7cc7020d3c469a86a39fbd80f5edd3c5ab). If an immediate upgrade is not feasible, consider implementing input validation and sanitization on the dataurl parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via the dataurl parameter and verifying that it is properly sanitized.
Actualice el módulo arimanager a la versión 13.0.5.4 o superior. Esta actualización corrige una vulnerabilidad de Cross-Site Scripting (XSS) que podría permitir la ejecución de código malicioso en el navegador de los usuarios. La actualización se puede realizar a través de la interfaz de administración de FreePBX.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2019-25090 is a cross-site scripting vulnerability in FreePBX ariManager versions 13.0.5.0–13.0.5.3, allowing attackers to inject malicious scripts.
You are affected if you are running FreePBX ariManager versions 13.0.5.0 through 13.0.5.3. Upgrade to 13.0.5.4 or later to resolve the issue.
Upgrade FreePBX ariManager to version 13.0.5.4 or later. Apply the patch with identifier 199dea7cc7020d3c469a86a39fbd80f5edd3c5ab.
There is currently no evidence of active exploitation campaigns targeting CVE-2019-25090, but the vulnerability's nature makes it easily exploitable.
Refer to the FreePBX security advisories and release notes for details on this vulnerability and the corresponding fix.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.