CVE-2025-55209
September 04, 2025
contactmanager is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions 15.0.14 and below, 16.0.0 through 16.0.26.4 and 17.0.0 through 17.0.5, a stored cross-site scripting (XSS) vulnerability in FreePBX allows a low-privileged User Control Panel (UCP) user to inject malicious JavaScript into the system. The malicious code executes in the context of an administrator when they interact with the affected component, leading to session hijacking and potential privilege escalation. This issue is fixed in versions 15.0.14, 16.0.27 and 17.0.6.
Affected Packages
https://github.com/FreePBX/contactmanager.git (GITHUB):
Affected version(s) >=release/16.0.2 <release/16.0.27Fix Suggestion:
Update to version release/16.0.27https://github.com/FreePBX/contactmanager.git (GITHUB):
Affected version(s) >=release/12.0.2 <release/15.0.14Fix Suggestion:
Update to version release/15.0.14https://github.com/FreePBX/contactmanager.git (GITHUB):
Affected version(s) >=release/17.0.1 <release/17.0.6Fix Suggestion:
Update to version release/17.0.6Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
LOW
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
EPSS
Base Score:
0.05
