Total
50 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16982 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16990 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it. | |||||
| CVE-2019-16991 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16986 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.) | |||||
| CVE-2019-16971 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | |||||
| CVE-2019-16969 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16979 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16968 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in FusionPBX up to 4.5.7. In the file app\conference_controls\conference_control_details.php, an unsanitized id variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. | |||||
| CVE-2019-16965 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 9.0 HIGH | 7.2 HIGH |
| resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data. | |||||
| CVE-2019-16985 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 8.5 HIGH | 6.5 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system. | |||||
| CVE-2019-19385 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter. | |||||
| CVE-2019-16988 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | |||||
| CVE-2019-16974 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16987 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16973 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-19384 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter. | |||||
| CVE-2019-16977 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16984 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS. | |||||
| CVE-2019-16972 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16983 | 1 Fusionpbx | 1 Fusionpbx | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS. | |||||