Vulnerability-Lookup - Search a vulnerability

Refine your search

Product

Sort by

Order

Sources

1 vulnerability found for contactmanager by FreePBX

CVE-2025-55209 (GCVE-0-2025-55209)

Vulnerability from cvelistv5

Published

2025-09-04 22:50

Modified

2026-02-13 21:53

Severity ?

5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

contactmanager is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions 15.0.14 and below, 16.0.0 through 16.0.26.4 and 17.0.0 through 17.0.5, a stored cross-site scripting (XSS) vulnerability in FreePBX allows a low-privileged User Control Panel (UCP) user to inject malicious JavaScript into the system. The malicious code executes in the context of an administrator when they interact with the affected component, leading to session hijacking and potential privilege escalation. This issue is fixed in versions 15.0.14, 16.0.27 and 17.0.6.

References

URL

Tags

	https://github.com/FreePBX/security-reporting/security/advisories/GHSA-j654-x3q2-6wm3	x_refsource_CONFIRM
	https://github.com/FreePBX/contactmanager/commit/55abba0f1ab5d66ba87732fd06179231d1f68184	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	FreePBX	contactmanager	Version: < 15.0.14 Version: >= 16.0.0, < 16.0.27 Version: >= 17.0.0, < 17.0.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55209",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-05T15:47:26.900264Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-05T15:47:36.235Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "contactmanager",
          "vendor": "FreePBX",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 15.0.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0, \u003c 16.0.27"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0, \u003c 17.0.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "contactmanager is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk\u00a9 (PBX). In versions 15.0.14 and below, 16.0.0 through 16.0.26.4 and  17.0.0 through 17.0.5, a stored cross-site scripting (XSS) vulnerability in FreePBX allows a low-privileged User Control Panel (UCP) user to inject malicious JavaScript into the system. The malicious code executes in the context of an administrator when they interact with the affected component, leading to session hijacking and potential privilege escalation. This issue is fixed in versions 15.0.14, 16.0.27 and 17.0.6."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-13T21:53:28.920Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-j654-x3q2-6wm3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-j654-x3q2-6wm3"
        },
        {
          "name": "https://github.com/FreePBX/contactmanager/commit/55abba0f1ab5d66ba87732fd06179231d1f68184",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FreePBX/contactmanager/commit/55abba0f1ab5d66ba87732fd06179231d1f68184"
        }
      ],
      "source": {
        "advisory": "GHSA-j654-x3q2-6wm3",
        "discovery": "UNKNOWN"
      },
      "title": "FreePBX UCP is Vulnerable to Stored XSS Through its User Control Panel"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55209",
    "datePublished": "2025-09-04T22:50:59.946Z",
    "dateReserved": "2025-08-08T21:55:07.966Z",
    "dateUpdated": "2026-02-13T21:53:28.920Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}