Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Fusionpbx
(Fusionpbx)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 51 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-10-21 | CVE-2019-16982 | In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | Fusionpbx | 6.1 | ||
| 2019-10-21 | CVE-2019-16983 | In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS. | Fusionpbx | 6.1 | ||
| 2019-10-21 | CVE-2019-16984 | In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS. | Fusionpbx | 6.1 | ||
| 2019-10-21 | CVE-2019-16985 | In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system. | Fusionpbx | 6.5 | ||
| 2019-10-21 | CVE-2019-16986 | In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.) | Fusionpbx | 6.5 | ||
| 2019-10-21 | CVE-2019-16987 | In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | Fusionpbx | 6.1 | ||
| 2019-10-21 | CVE-2019-16988 | In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | Fusionpbx | 6.1 | ||
| 2019-10-21 | CVE-2019-16989 | In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. | Fusionpbx | 6.1 | ||
| 2019-10-21 | CVE-2019-16991 | In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS. | Fusionpbx | 6.1 | ||
| 2019-10-21 | CVE-2019-16965 | resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data. | Fusionpbx | 7.2 |