Get Issabel
News Bulletin

XSS Vulnerability Fixed in Issabel 5.0.0 (Advisory ID INC-2025-0012)

In response to the security advisory issued by the Spanish National Cybersecurity Institute (INCIBE) under ID INC-2025-0012, we inform the public that the reported vulnerability in Issabel v5.0.0 has been identified, fixed, and resolved through official package updates.

🛡️ Vulnerability Description

  • Type: Stored Cross Site Scripting (XSS)

  • CWE: CWE-79 – Improper Neutralization of Input During Web Page Generation

  • Vector: Sending a POST request to /index.php?menu=conference using the conference_number parameter.

  • Potential Impact: Under certain conditions, an authenticated attacker could craft a malicious request that, if accessed by another authenticated user, may lead to session cookie exposure.

  • CVSS v3.1 Base Score: 5.4

  • Affected Products: Issabel v5.0.0

  • Date Reported to Issabel: January 2025

While this vulnerability received a medium severity rating, its real-world exploitability is considered very low due to restrictions on executable code and required access levels.

Solution Implemented

On February 10, 2025, the Issabel development team released updated packages that address the issue:

  • issabel-pbx version 5.0.0-4

  • issabel-agenda version 5.0.0-2

These packages implement stricter input validation for the affected parameter. The updates are now available through the official updates repository.

Recommended Update Command:

yum update issabel-pbx issabel-agenda

Direct Package Links:

  • http://repo.issabel.org/issabel/5/updates/noarch/RPMS/issabel-agenda-5.0.0-2.noarch.rpm
  • http://repo.issabel.org/issabel/5/updates/noarch/RPMS/issabel-pbx-5.0.0-4.noarch.rpm

Validation and Testing

Comprehensive functional testing was conducted in a controlled environment, confirming that:

  • Creating, editing, and deleting entries in the conference and agenda modules works as expected.
  • No side effects were detected.
  • The updates were promoted from the alpha repository to the updates repository and are now publicly available to all users.

🤝 Acknowledgment

We thank INCIBE for its responsible disclosure and collaboration in this process. Their proactive communication helps strengthen the security of the open-source ecosystem and mission-critical communication platforms.

The Issabel Team

Share this post
Facebook
Twitter
LinkedIn
Telegram

“I am honored to recognize Issabel, LLC with a 2023 Product of the Year Award for its commitment to excellence and innovation,” said Rich Tehrani, CEO, TMC.

Issabel® is developed and managed by Issabel® LLC. company formed by a group of professionals from different countries. 

Our team is a leader in open source innovation with implementations and success stories in different continents. Our experience in developing these technologies has allowed us to develop, maintain and improve unified communications platforms.

Connect with us
Facebook-f Instagram Linkedin-in Telegram-plane
© 2025 Issabel.com – All Rights Reserved.