html\admin\modules\superfecta\Superfecta.class.php
https://github.com/FreePBX/superfecta/blob/release/14.0/Superfecta.class.php
Unsanitized $_REQUEST['tel'] and $_REQUEST['level'] reflected in HTML leads to XSS (as you can see in screenshot attached on latest FreePBX ISO, ajax request is manipulated with Burp)
l.309+:
echo "<span class='header'>"._('Debug is on and set at level:')."</span> ".$_REQUEST['level']."</br>";
echo "<span class='header'>"._('The Original Number:')."</span> ".$_REQUEST['tel']."</br>";