Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-4615

xss in freepbx custom extensions (as present in asterisknow)

    XMLWordPrintable

    Details

      Description

      xss in freepbx 'custom extensions' (as present in asterisknow)

      URL:http://10.0.20.132/admin/config.php?type=tool&display=customextens

      How to reproduce:
      A user (only) with access the custom extensions can put into the description for a custom extension --> <script>alert(123);</script>

      If that doesn't work let me know
      As with my updated asterisknow it works :/

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                d-b d-b
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.