Some modules are vulnerable to HTML injections

RenatoSSS22 · May 11, 2022, 7:04am

Hi Guys,

Any one can help to mitigate this security issues we found?

We performed security testing on FreePBX 15.0.23 and found out that the following modules are not filtering the inputs and allowing HTML tags/ XSS script to load. See below proof:

Allow List
Black List
Contact Manager
Calendar
Calendar Events Groups
Call Flow Toggle Control
File Store
UCP Contacts

Here are the HTML tags that I’ve input in every forms:

Also, script tags or other html tags could lead to broke the forms/ redirect you to other website.

Be careful not to run them on your production server. You have to delete the entry on the backend or database before it gets back to work.

PitzKey · May 11, 2022, 7:42am

AFAIK, you need to be authenticated in other to be able to do that. So no biggie.

rsmithuk · May 11, 2022, 9:01am

One would also assume all web traffic is firewalled anyway so nobody should be able to access from anywhere other than trusted IPs.

lgaetz · May 11, 2022, 9:06am

Thanks for the report. Please open a ticket for engineering to review this properly. https://issues.freepbx.org/

system · June 11, 2022, 9:06am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.