Vulnerabilities > Fusionpbx > Fusionpbx > 4.2.1
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-10-22 | CVE-2019-16973 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-22 | CVE-2019-16972 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-22 | CVE-2019-16971 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16974 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16969 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16970 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to 4.5.7, the file app\sip_status\sip_status.php uses an unsanitized "savemsg" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16968 | Cross-site Scripting vulnerability in Fusionpbx An issue was discovered in FusionPBX up to 4.5.7. | 6.1 |
| 2019-10-21 | CVE-2019-16965 | OS Command Injection vulnerability in Fusionpbx resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data. | 7.2 |
| 2019-10-21 | CVE-2019-16964 | OS Command Injection vulnerability in Fusionpbx app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any commands on the host as www-data. | 9.0 |
| 2019-10-21 | CVE-2019-16991 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |