Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-4612

xss in freepbx (as present in asterisknow)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Fixed
    • Affects Version/s: 2.8
    • Fix Version/s: None
    • Component/s: Web interface
    • Labels:

      Description

      Hi there! there is an xss in the trunk display in asterisknow, which I believe is in(/from) freepbx.

      example: http://10.0.20.132/admin/config.php?display=trunks&tech=%22/%3E%3Cfooo%3E%3Cscript%3Ealert%282%29;%3C/script%3E

      In addition the Feature Code Admin area lets you put html into the page... (just try put "/>WEE" into a field).

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                d-b d-b
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.