Vulnerabilities > Fusionpbx > Fusionpbx > 4.4.3
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-10-21 | CVE-2019-16979 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
2019-10-21 | CVE-2019-16978 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | 6.1 |
2019-06-17 | CVE-2019-11410 | OS Command Injection vulnerability in Fusionpbx 4.4.3 app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute commands on the host. | 9.0 |
2019-06-17 | CVE-2019-11409 | OS Command Injection vulnerability in Fusionpbx 4.4.3 app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. | 6.5 |
2019-06-17 | CVE-2019-11408 | Cross-site Scripting vulnerability in Fusionpbx 4.4.3 XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. | 4.3 |
2019-06-17 | CVE-2019-11407 | Information Exposure vulnerability in Fusionpbx 4.4.3 app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 suffers from an information disclosure vulnerability due to excessive debug information, which allows authenticated administrative attackers to obtain credentials and other sensitive information. | 4.0 |