Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Issabel products

Posted date 01/10/2025
Identificador
INCIBE-2025-0531
Importance
3 - Medium
Affected Resources
  • Issabel, issabel-pbx module, versions prior to 5.0.0-2.
  • Issabel, issabel-agenda module, versions prior to 5.0.0-4.
Description

INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Issabel, a unified communications software. The vulnerabilities were discovered by Oriol Vilella Jam.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

  • CVE-2025-40647: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
  • CVE-2025-40648: 4.8 | CVSS AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

The vulnerabilities have been fixed by the Issabel team in the issabel-pbx module version 5.0.0-2 and in the issabel-agenda module version 5.0.0-4.

Detail

Stored Cross-Site Scripting (XSS) vulnerabilities in Issabel v5.0.0, consisting of a stored XSS due to a lack of proper validation of user input. The relationship between parameters and assigned identifiers is as follows:

  • CVE-2025-40647: 'email' parameter in '/index.php?menu=address_book'.
  • CVE-2025-40648: 'numero_conferencia' parameter in '/index.php?menu=conferencia'.
CVE
Explotación
No
Nuevo Fabricante
Issabel
Identificador CVE
CVE-2025-40647
Severidad
Media
Explotación
No
Nuevo Fabricante
Issabel
Identificador CVE
CVE-2025-40648
Severidad
Media
References list
Issabel - Unified Communications Software
Etiquetas