Home > Vulnerability Database > CVE-2025-55209

Mend.io Vulnerability Database

CVE-2025-55209

Good to know:

Date: September 4, 2025

contactmanager is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions 15.0.14 and below, 16.0.0 through 16.0.26.4 and 17.0.0 through 17.0.5, a stored cross-site scripting (XSS) vulnerability in FreePBX allows a low-privileged User Control Panel (UCP) user to inject malicious JavaScript into the system. The malicious code executes in the context of an administrator when they interact with the affected component, leading to session hijacking and potential privilege escalation. This issue is fixed in versions 15.0.14, 16.0.27 and 17.0.6.

Severity Score

6.5

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-55209

Url: https://github.com/FreePBX/contactmanager/commit/55abba0f1ab5d66ba87732fd06179231d1f68184

Url: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-j654-x3q2-6wm3

Url: https://www.mend.io/vulnerability-database/CVE-2025-55209

Severity Score

6.5

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version https://github.com/FreePBX/contactmanager.git - release/17.0.6;https://github.com/FreePBX/contactmanager.git - release/16.0.27;https://github.com/FreePBX/contactmanager.git - release/15.0.14

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-55209

Good to know:

Date: September 4, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?