Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Fusionpbx
(Fusionpbx)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 51 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2024-01-19 | CVE-2024-23387 | FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product. | Fusionpbx | 4.8 | ||
2021-11-05 | CVE-2021-43404 | An issue was discovered in FusionPBX before 4.5.30. The FAX file name may have risky characters. | Fusionpbx | 8.8 | ||
2021-11-05 | CVE-2021-43405 | An issue was discovered in FusionPBX before 4.5.30. The fax_extension may have risky characters (it is not constrained to be numeric). | Fusionpbx | 8.8 | ||
2022-05-04 | CVE-2022-28055 | Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function. | Fusionpbx | 9.8 | ||
2022-08-18 | CVE-2022-35153 | FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php. | Fusionpbx | 9.8 | ||
2019-10-21 | CVE-2019-16978 | In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | Fusionpbx | 6.1 | ||
2019-10-21 | CVE-2019-16979 | In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | Fusionpbx | 6.1 | ||
2019-10-21 | CVE-2019-16980 | In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection. | Fusionpbx | 8.8 | ||
2019-10-21 | CVE-2019-16990 | In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it. | Fusionpbx | 6.5 | ||
2019-10-21 | CVE-2019-16981 | In FusionPBX up to v4.5.7, the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | Fusionpbx | 6.1 |