FreePBX Contact Manager Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the FreePBX Contact Manager module, affecting versions 15.0.14 and below, 16.0.0 through 16.0.26.4, and 17.0.0 through 17.0.5. This vulnerability allows low-privileged User Control Panel (UCP) users to inject malicious JavaScript that executes in the context of an administrator, potentially leading to session hijacking and privilege escalation.

Impact

Exploitation of this vulnerability allows for session hijacking through theft of the PHPSESSID cookie, privilege escalation, and execution of arbitrary JavaScript in the administrator's browser.

Reproduction

To reproduce this vulnerability, a low-privileged UCP user can create a new contact group and inject a JavaScript payload into the name field. Once saved, this payload executes immediately in the user's session and persists. When an administrator interacts with the Contact Manager component, the injected script runs in their browser, exploiting the XSS vulnerability.

Remediation

Users should upgrade to FreePBX versions 15.0.14, 16.0.27, or 17.0.6, and check their UCP Contact Groups for any injected JavaScript.