{"id":"CVE-2019-16966","details":"An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\\admin\\modules\\contactmanager\\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. It can be requested via a GET request to /admin/ajax.php?module=contactmanager.","modified":"2026-04-10T04:16:28.661Z","published":"2019-10-21T19:15:11.030Z","references":[{"type":"ADVISORY","url":"https://issues.freepbx.org/browse/FREEPBX-20437"},{"type":"FIX","url":"https://github.com/FreePBX/contactmanager/commit/99e5aa0050224289cfe64c9036f38ce2531bf633"},{"type":"FIX","url":"https://resp3ctblog.wordpress.com/2019/10/19/freepbx-xss-1/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freepbx/contactmanager","events":[{"introduced":"8ca1e8389905bae2937e476fd3150aba5e0734f3"},{"fixed":"407c80a93c8bcd05762fc66ff93f2c8f3b7f40a7"},{"introduced":"b11cb56547db9b8f8b814230a46e0efea3ae718f"},{"fixed":"4bf4cdb67fd31a7cab641c73b002a6ca06085c08"},{"introduced":"8d26ffdc1b43b60a895d741db56336cce63d67b7"},{"fixed":"64f46c6f6ca5f3e8b2f673343d1851cc178453d6"},{"introduced":"0"},{"last_affected":"30355d0c3753848e715e4a949a8b35b61d194943"},{"introduced":"0"},{"last_affected":"609f0232dab04310d249cfe41b2e45523db7bd58"},{"introduced":"0"},{"last_affected":"325882d3283977815c750cdd6da2f700bd6964eb"},{"introduced":"0"},{"last_affected":"7f0ff6ec19bfc56b137f2efe6c90de6a95b73343"},{"introduced":"0"},{"last_affected":"8943c295b1e89c69bb44eb7b980f14272a0e789c"},{"introduced":"0"},{"last_affected":"5d3f14c0bc187e4148331b956ef32b8942112622"},{"introduced":"0"},{"last_affected":"dec1320c5ef4fc0545e34379cc053929a5cc255f"},{"introduced":"0"},{"last_affected":"a3048663d0920cf9bc5d9bc22b3d93a09c9e939c"},{"introduced":"0"},{"last_affected":"0311f01a2a4d00e7464c88700c7f071a93c96c27"},{"introduced":"0"},{"last_affected":"c111dd029af2d6653f9f20bf3da05d57a58a49e7"},{"introduced":"0"},{"last_affected":"3636f7893013e61831c829b3bdbd75e362cb15b0"},{"fixed":"99e5aa0050224289cfe64c9036f38ce2531bf633"}],"database_specific":{"versions":[{"introduced":"13.0.2"},{"fixed":"13.0.45.3"},{"introduced":"14.0.1.1"},{"fixed":"14.0.5.12"},{"introduced":"15.0.2"},{"fixed":"15.0.8.21"},{"introduced":"0"},{"last_affected":"13.0.0-beta1"},{"introduced":"0"},{"last_affected":"13.0.0-beta2"},{"introduced":"0"},{"last_affected":"13.0.0-beta3"},{"introduced":"0"},{"last_affected":"13.0.0-beta4"},{"introduced":"0"},{"last_affected":"13.0.0-beta5"},{"introduced":"0"},{"last_affected":"14.0.1-NA"},{"introduced":"0"},{"last_affected":"14.0.1-alpha1"},{"introduced":"0"},{"last_affected":"14.0.1-alpha2"},{"introduced":"0"},{"last_affected":"14.0.1-beta1"},{"introduced":"0"},{"last_affected":"14.0.1-beta2"},{"introduced":"0"},{"last_affected":"14.0.1-beta3"}]}},{"type":"GIT","repo":"https://github.com/freepbx/framework","events":[{"introduced":"0"},{"last_affected":"fef337a31ecbe7ab2559348030f608dbde66d856"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"14.0.10.3"}]}}],"versions":["release/12.0.0.0alpha1.0","release/12.0.0alpha2","release/12.0.0alpha3","release/12.0.0beta1","release/12.0.1alpha1","release/12.0.1alpha10","release/12.0.1alpha11","release/12.0.1alpha12","release/12.0.1alpha13","release/12.0.1alpha14","release/12.0.1alpha16","release/12.0.1alpha17","release/12.0.1alpha18","release/12.0.1alpha19","release/12.0.1alpha2","release/12.0.1alpha20","release/12.0.1alpha21","release/12.0.1alpha22","release/12.0.1alpha23","release/12.0.1alpha24","release/12.0.1alpha25","release/12.0.1alpha26","release/12.0.1alpha27","release/12.0.1alpha28","release/12.0.1alpha29","release/12.0.1alpha3","release/12.0.1alpha30","release/12.0.1alpha31","release/12.0.1alpha32","release/12.0.1alpha4","release/12.0.1alpha5","release/12.0.1alpha7","release/13.0.0beta1","release/13.0.0beta2","release/13.0.0beta3","release/13.0.0beta4","release/13.0.0beta5","release/13.0.10","release/13.0.11","release/13.0.12","release/13.0.13","release/13.0.14","release/13.0.15","release/13.0.16","release/13.0.17","release/13.0.1RC1.20","release/13.0.1RC1.21","release/13.0.1RC1.22","release/13.0.1RC1.23","release/13.0.1RC1.24","release/13.0.1RC1.25","release/13.0.1RC1.26","release/13.0.1RC1.27","release/13.0.1RC1.28","release/13.0.1RC1.30","release/13.0.1alpha10","release/13.0.1alpha11","release/13.0.1alpha12","release/13.0.1alpha14","release/13.0.1alpha15","release/13.0.1alpha16","release/13.0.1alpha17","release/13.0.1alpha18","release/13.0.1alpha19","release/13.0.1alpha2","release/13.0.1alpha20","release/13.0.1alpha21","release/13.0.1alpha22","release/13.0.1alpha23","release/13.0.1alpha24","release/13.0.1alpha25","release/13.0.1alpha26","release/13.0.1alpha27","release/13.0.1alpha28","release/13.0.1alpha29","release/13.0.1alpha3","release/13.0.1alpha30","release/13.0.1alpha31","release/13.0.1alpha32","release/13.0.1alpha33","release/13.0.1alpha34","release/13.0.1alpha35","release/13.0.1alpha36","release/13.0.1alpha37","release/13.0.1alpha38","release/13.0.1alpha39","release/13.0.1alpha4","release/13.0.1alpha40","release/13.0.1alpha41","release/13.0.1alpha42","release/13.0.1alpha43","release/13.0.1alpha44","release/13.0.1alpha45","release/13.0.1alpha46","release/13.0.1alpha47","release/13.0.1alpha48","release/13.0.1alpha49","release/13.0.1alpha5","release/13.0.1alpha50","release/13.0.1alpha51","release/13.0.1alpha52","release/13.0.1alpha53","release/13.0.1alpha54","release/13.0.1alpha55","release/13.0.1alpha56","release/13.0.1alpha57","release/13.0.1alpha58","release/13.0.1alpha59","release/13.0.1alpha6","release/13.0.1alpha60","release/13.0.1alpha61","release/13.0.1alpha62","release/13.0.1alpha63","release/13.0.1alpha64","release/13.0.1alpha65","release/13.0.1alpha66","release/13.0.1alpha67","release/13.0.1alpha68","release/13.0.1alpha69","release/13.0.1alpha7","release/13.0.1alpha8","release/13.0.1alpha9","release/13.0.1beta1","release/13.0.1beta2","release/13.0.1beta3","release/13.0.1beta3.1","release/13.0.1beta3.10","release/13.0.1beta3.11","release/13.0.1beta3.12","release/13.0.1beta3.13","release/13.0.1beta3.14","release/13.0.1beta3.15","release/13.0.1beta3.16","release/13.0.1beta3.17","release/13.0.1beta3.18","release/13.0.1beta3.19","release/13.0.1beta3.2","release/13.0.1beta3.20","release/13.0.1beta3.21","release/13.0.1beta3.22","release/13.0.1beta3.23","release/13.0.1beta3.24","release/13.0.1beta3.25","release/13.0.1beta3.3","release/13.0.1beta3.4","release/13.0.1beta3.5","release/13.0.1beta3.53","release/13.0.1beta3.54","release/13.0.1beta3.55","release/13.0.1beta3.56","release/13.0.1beta3.57","release/13.0.1beta3.58","release/13.0.1beta3.59","release/13.0.1beta3.6","release/13.0.1beta3.60","release/13.0.1beta3.61","release/13.0.1beta3.62","release/13.0.1beta3.63","release/13.0.1beta3.7","release/13.0.1beta3.9","release/13.0.2","release/13.0.20","release/13.0.21","release/13.0.22","release/13.0.23","release/13.0.24","release/13.0.25","release/13.0.26","release/13.0.27","release/13.0.28","release/13.0.29","release/13.0.3","release/13.0.30","release/13.0.31","release/13.0.32","release/13.0.33","release/13.0.34","release/13.0.35","release/13.0.36","release/13.0.37","release/13.0.38","release/13.0.4","release/13.0.40","release/13.0.41","release/13.0.41.10","release/13.0.41.11","release/13.0.41.12","release/13.0.41.13","release/13.0.41.14","release/13.0.41.3","release/13.0.41.4","release/13.0.41.5","release/13.0.41.6","release/13.0.41.7","release/13.0.41.8","release/13.0.42","release/13.0.42.1","release/13.0.42.10","release/13.0.42.11","release/13.0.42.12","release/13.0.42.13","release/13.0.42.2","release/13.0.42.3","release/13.0.42.4","release/13.0.42.5","release/13.0.42.7","release/13.0.42.8","release/13.0.42.9","release/13.0.43","release/13.0.43.1","release/13.0.43.10","release/13.0.43.11","release/13.0.43.12","release/13.0.43.13","release/13.0.43.2","release/13.0.43.3","release/13.0.43.4","release/13.0.43.5","release/13.0.43.6","release/13.0.43.7","release/13.0.43.8","release/13.0.43.9","release/13.0.44","release/13.0.45","release/13.0.5","release/13.0.6","release/13.0.8","release/13.0.9","release/14.0.1","release/14.0.1.1","release/14.0.1.10","release/14.0.1.11","release/14.0.1.12","release/14.0.1.13","release/14.0.1.14","release/14.0.1.15","release/14.0.1.16","release/14.0.1.18","release/14.0.1.19","release/14.0.1.2","release/14.0.1.20","release/14.0.1.21","release/14.0.1.22","release/14.0.1.23","release/14.0.1.24","release/14.0.1.25","release/14.0.1.26","release/14.0.1.27","release/14.0.1.28","release/14.0.1.29","release/14.0.1.3","release/14.0.1.30","release/14.0.1.31","release/14.0.1.32","release/14.0.1.33","release/14.0.1.34","release/14.0.1.35","release/14.0.1.36","release/14.0.1.4","release/14.0.1.5","release/14.0.1.6","release/14.0.1.7","release/14.0.1.8","release/14.0.1.9","release/14.0.10","release/14.0.10.1","release/14.0.10.2","release/14.0.10.3","release/14.0.1alpha1","release/14.0.1alpha10","release/14.0.1alpha11","release/14.0.1alpha12","release/14.0.1alpha13","release/14.0.1alpha14","release/14.0.1alpha15","release/14.0.1alpha16","release/14.0.1alpha17","release/14.0.1alpha18","release/14.0.1alpha19","release/14.0.1alpha2","release/14.0.1alpha20","release/14.0.1alpha21","release/14.0.1alpha22","release/14.0.1alpha23","release/14.0.1alpha24","release/14.0.1alpha25","release/14.0.1alpha26","release/14.0.1alpha27","release/14.0.1alpha28","release/14.0.1alpha29","release/14.0.1alpha3","release/14.0.1alpha30","release/14.0.1alpha31","release/14.0.1alpha32","release/14.0.1alpha33","release/14.0.1alpha34","release/14.0.1alpha35","release/14.0.1alpha4","release/14.0.1alpha5","release/14.0.1alpha6","release/14.0.1alpha7","release/14.0.1alpha8","release/14.0.1alpha9","release/14.0.1beta1","release/14.0.1beta10","release/14.0.1beta11","release/14.0.1beta12","release/14.0.1beta13","release/14.0.1beta14","release/14.0.1beta15","release/14.0.1beta16","release/14.0.1beta17","release/14.0.1beta18","release/14.0.1beta19","release/14.0.1beta2","release/14.0.1beta20","release/14.0.1beta3","release/14.0.1beta4","release/14.0.1beta5","release/14.0.1beta6","release/14.0.1beta7","release/14.0.1beta8","release/14.0.1beta9","release/14.0.1rc1","release/14.0.1rc1.1","release/14.0.1rc1.10","release/14.0.1rc1.11","release/14.0.1rc1.12","release/14.0.1rc1.13","release/14.0.1rc1.14","release/14.0.1rc1.15","release/14.0.1rc1.16","release/14.0.1rc1.17","release/14.0.1rc1.18","release/14.0.1rc1.19","release/14.0.1rc1.2","release/14.0.1rc1.21","release/14.0.1rc1.22","release/14.0.1rc1.23","release/14.0.1rc1.24","release/14.0.1rc1.25","release/14.0.1rc1.26","release/14.0.1rc1.27","release/14.0.1rc1.29","release/14.0.1rc1.3","release/14.0.1rc1.30","release/14.0.1rc1.4","release/14.0.1rc1.5","release/14.0.1rc1.6","release/14.0.1rc1.7","release/14.0.1rc1.8","release/14.0.2.1","release/14.0.2.10","release/14.0.2.11","release/14.0.2.12","release/14.0.2.13","release/14.0.2.14","release/14.0.2.15","release/14.0.2.16","release/14.0.2.17","release/14.0.2.18","release/14.0.2.2","release/14.0.2.4","release/14.0.2.6","release/14.0.3","release/14.0.3.1","release/14.0.3.10","release/14.0.3.11","release/14.0.3.12","release/14.0.3.13","release/14.0.3.14","release/14.0.3.15","release/14.0.3.16","release/14.0.3.17","release/14.0.3.19","release/14.0.3.2","release/14.0.3.20","release/14.0.3.21","release/14.0.3.22","release/14.0.3.23","release/14.0.3.24","release/14.0.3.25","release/14.0.3.26","release/14.0.3.3","release/14.0.3.4","release/14.0.3.5","release/14.0.3.6","release/14.0.3.7","release/14.0.3.8","release/14.0.3.9","release/14.0.4","release/14.0.4.1","release/14.0.4.10","release/14.0.4.11","release/14.0.4.12","release/14.0.4.13","release/14.0.4.2","release/14.0.4.3","release/14.0.4.4","release/14.0.4.5","release/14.0.4.9","release/14.0.5","release/14.0.5.1","release/14.0.5.10","release/14.0.5.11","release/14.0.5.12","release/14.0.5.13","release/14.0.5.14","release/14.0.5.15","release/14.0.5.16","release/14.0.5.17","release/14.0.5.18","release/14.0.5.19","release/14.0.5.2","release/14.0.5.20","release/14.0.5.21","release/14.0.5.22","release/14.0.5.23","release/14.0.5.24","release/14.0.5.25","release/14.0.5.26","release/14.0.5.27","release/14.0.5.28","release/14.0.5.3","release/14.0.5.4","release/14.0.5.5","release/14.0.5.6","release/14.0.5.7","release/14.0.5.8","release/14.0.5.9","release/14.0.7.1","release/14.0.7.2","release/14.0.7.3","release/14.0.7.4","release/14.0.7.5","release/14.0.7.6","release/14.0.7.7","release/14.0.8","release/14.0.8.1","release/14.0.8.2","release/14.0.8.3","release/14.0.8.4","release/14.0.9","release/14.0.9.1","release/15.0.2","release/15.0.3","release/15.0.4","release/15.0.5","release/15.0.6","release/15.0.7","release/15.0.8","release/15.0.8.1","release/15.0.8.10","release/15.0.8.11","release/15.0.8.12","release/15.0.8.13","release/15.0.8.14","release/15.0.8.15","release/15.0.8.16","release/15.0.8.17","release/15.0.8.18","release/15.0.8.19","release/15.0.8.2","release/15.0.8.20","release/15.0.8.3","release/15.0.8.4","release/15.0.8.5","release/15.0.8.6","release/15.0.8.7","release/15.0.8.8","release/15.0.8.9","release/2.11.0.0","release/2.11.0.0beta1.0","release/2.11.0.0beta1.1","release/2.11.0.0beta1.2","release/2.11.0.0beta1.3","release/2.11.0.0beta1.4","release/2.11.0.0beta1.5","release/2.11.0.0beta2.0","release/2.11.0.0beta2.1","release/2.11.0.0beta2.2","release/2.11.0.0beta2.3","release/2.11.0.0beta2.4","release/2.11.0.0beta2.5","release/2.11.0.0beta2.6","release/2.11.0.0beta2.8","release/2.11.0.0beta2.9","release/2.11.0.0rc1.0","release/2.11.0.0rc1.1","release/2.11.0.0rc1.2","release/2.11.0.0rc1.3","release/2.11.0.0rc1.4","release/2.11.0.0rc1.5","release/2.11.0.0rc1.7","release/2.11.0.1","release/2.11.0.10","release/2.11.0.11","release/2.11.0.2","release/2.11.0.3","release/2.11.0.4","release/2.11.0.5","release/2.11.0.6","release/2.11.0.7","release/2.11.0.8","release/2.11.0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16966.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}