Fusionpbx

Fusionpbx

52 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2019-16968

  • EPSS 0.33%
  • Veröffentlicht 21.10.2019 20:15:10
  • Zuletzt bearbeitet 21.11.2024 04:31:26

An issue was discovered in FusionPBX up to 4.5.7. In the file app\conference_controls\conference_control_details.php, an unsanitized id variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS.

9

CVE-2019-16965

  • EPSS 2.73%
  • Veröffentlicht 21.10.2019 19:15:10
  • Zuletzt bearbeitet 21.11.2024 04:31:26

resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.

9

CVE-2019-16964

  • EPSS 3.45%
  • Veröffentlicht 21.10.2019 19:15:10
  • Zuletzt bearbeitet 21.11.2024 04:31:25

app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_a...

8.5

CVE-2019-16985

  • EPSS 0.39%
  • Veröffentlicht 21.10.2019 16:15:18
  • Zuletzt bearbeitet 21.11.2024 04:31:28

In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.

6.5

CVE-2019-16986

  • EPSS 0.49%
  • Veröffentlicht 21.10.2019 16:15:18
  • Zuletzt bearbeitet 21.11.2024 04:31:29

In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)

6.1

CVE-2019-16987

  • EPSS 0.33%
  • Veröffentlicht 21.10.2019 16:15:18
  • Zuletzt bearbeitet 21.11.2024 04:31:29

In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.

6.1

CVE-2019-16988

  • EPSS 0.33%
  • Veröffentlicht 21.10.2019 16:15:18
  • Zuletzt bearbeitet 21.11.2024 04:31:29

In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.

6.1

CVE-2019-16989

  • EPSS 0.33%
  • Veröffentlicht 21.10.2019 16:15:18
  • Zuletzt bearbeitet 21.11.2024 04:31:29

In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.

6.1

CVE-2019-16991

  • EPSS 0.33%
  • Veröffentlicht 21.10.2019 16:15:18
  • Zuletzt bearbeitet 21.11.2024 04:31:29

In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.

6.1

CVE-2019-16984

  • EPSS 0.33%
  • Veröffentlicht 21.10.2019 16:15:17
  • Zuletzt bearbeitet 21.11.2024 04:31:28

In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS.