Filtered by vendor Fusionpbx
Subscriptions
Filtered by product Fusionpbx
Subscriptions
Total
51 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16972 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.1 Medium |
| In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||||
| CVE-2019-16979 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.1 Medium |
| In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||||
| CVE-2019-16973 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.1 Medium |
| In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||||
| CVE-2019-16974 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.1 Medium |
| In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||||
| CVE-2019-16982 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.1 Medium |
| In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||||
| CVE-2019-16965 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 7.2 High |
| resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data. | ||||
| CVE-2019-16978 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.1 Medium |
| In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | ||||
| CVE-2019-16983 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.1 Medium |
| In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS. | ||||
| CVE-2019-16976 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.1 Medium |
| In FusionPBX up to 4.5.7, the file app\destinations\destination_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | ||||
| CVE-2019-16985 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.5 Medium |
| In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system. | ||||
| CVE-2019-16980 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 8.8 High |
| In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection. | ||||
| CVE-2019-16968 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.1 Medium |
| An issue was discovered in FusionPBX up to 4.5.7. In the file app\conference_controls\conference_control_details.php, an unsanitized id variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. | ||||
| CVE-2019-16989 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 6.1 Medium |
| In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||||
| CVE-2019-15029 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | N/A |
| FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request with the service id followed by the parameter a=start to execute the stored command. | ||||
| CVE-2019-11409 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-04 | 8.8 High |
| app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module. | ||||
| CVE-2019-11410 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-04 | N/A |
| app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute commands on the host. | ||||
| CVE-2019-11408 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-04 | N/A |
| XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX. | ||||
| CVE-2019-11407 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-04 | N/A |
| app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 suffers from an information disclosure vulnerability due to excessive debug information, which allows authenticated administrative attackers to obtain credentials and other sensitive information. | ||||
| CVE-2020-21057 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-04 | 8.1 High |
| Directory Traversal vulnerability in FusionPBX 4.5.7, which allows a remote malicious user to delete folders on the system via the folder variable to app/edit/folderdelete.php. | ||||
| CVE-2020-21053 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-04 | 6.1 Medium |
| Cross Site Scriptiong (XSS) vulnerability exists in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "query_string" variable in app\devices\device_imports.php. | ||||