Vulnerabilities > Fusionpbx > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-10-21 | CVE-2019-16984 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16983 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16982 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16981 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16990 | Path Traversal vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it. | 6.5 |
| 2019-10-21 | CVE-2019-16979 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | 6.1 |
| 2019-10-21 | CVE-2019-16978 | Cross-site Scripting vulnerability in Fusionpbx In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | 6.1 |
| 2019-06-17 | CVE-2019-11408 | Cross-site Scripting vulnerability in Fusionpbx 4.4.3 XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. | 6.1 |