Vulnerabilities > Fusionpbx > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-10-21 | CVE-2019-16974 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16969 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16970 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to 4.5.7, the file app\sip_status\sip_status.php uses an unsanitized "savemsg" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16968 | Cross-site Scripting vulnerability in Fusionpbx An issue was discovered in FusionPBX up to 4.5.7. | 6.1 |
| 2019-10-21 | CVE-2019-16991 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16989 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16988 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16987 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16986 | Path Traversal vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. | 6.5 |
| 2019-10-21 | CVE-2019-16985 | Path Traversal vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system. | 6.5 |