Total
50 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16987 | 1 Fusionpbx | 1 Fusionpbx | 2023-02-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2019-16991 | 1 Fusionpbx | 1 Fusionpbx | 2023-02-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||||
| CVE-2021-43403 | 1 Fusionpbx | 1 Fusionpbx | 2022-09-30 | N/A | 6.5 MEDIUM |
| An issue was discovered in FusionPBX before 4.5.30. The log_viewer.php Log View page allows an authenticated user to choose an arbitrary filename for download (i.e., not necessarily freeswitch.log in the intended directory). | |||||
| CVE-2022-35153 | 1 Fusionpbx | 1 Fusionpbx | 2022-08-19 | N/A | 9.8 CRITICAL |
| FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php. | |||||
| CVE-2021-37524 | 1 Fusionpbx | 1 Fusionpbx | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php. | |||||
| CVE-2022-28055 | 1 Fusionpbx | 1 Fusionpbx | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function. | |||||
| CVE-2019-11409 | 1 Fusionpbx | 1 Fusionpbx | 2022-04-18 | 6.5 MEDIUM | 8.8 HIGH |
| app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module. | |||||
| CVE-2021-43406 | 1 Fusionpbx | 1 Fusionpbx | 2021-11-09 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in FusionPBX before 4.5.30. The fax_post_size may have risky characters (it is not constrained to preset values). | |||||
| CVE-2021-43405 | 1 Fusionpbx | 1 Fusionpbx | 2021-11-09 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in FusionPBX before 4.5.30. The fax_extension may have risky characters (it is not constrained to be numeric). | |||||
| CVE-2021-43404 | 1 Fusionpbx | 1 Fusionpbx | 2021-11-09 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in FusionPBX before 4.5.30. The FAX file name may have risky characters. | |||||
| CVE-2020-21053 | 1 Fusionpbx | 1 Fusionpbx | 2021-05-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scriptiong (XSS) vulnerability exists in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "query_string" variable in app\devices\device_imports.php. | |||||
| CVE-2020-21055 | 1 Fusionpbx | 1 Fusionpbx | 2021-05-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| A Directory Traversal vulnerability exists in FusionPBX 4.5.7 allows malicoius users to rename any file of the system.via the (1) folder, (2) filename, and (3) newfilename variables in app\edit\filerename.php. | |||||
| CVE-2020-21054 | 1 Fusionpbx | 1 Fusionpbx | 2021-05-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "f" variable in app\vars\vars_textarea.php. | |||||
| CVE-2020-21057 | 1 Fusionpbx | 1 Fusionpbx | 2021-05-25 | 5.5 MEDIUM | 8.1 HIGH |
| Directory Traversal vulnerability in FusionPBX 4.5.7, which allows a remote malicious user to delete folders on the system via the folder variable to app/edit/folderdelete.php. | |||||
| CVE-2020-21056 | 1 Fusionpbx | 1 Fusionpbx | 2021-05-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| Directory Traversal vulnerability exists in FusionPBX 4.5.7, which allows a remote malicious user to create folders via the folder variale to app\edit\foldernew.php. | |||||
| CVE-2019-11410 | 1 Fusionpbx | 1 Fusionpbx | 2020-08-24 | 9.0 HIGH | 7.2 HIGH |
| app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute commands on the host. | |||||
| CVE-2019-16964 | 1 Fusionpbx | 1 Fusionpbx | 2020-08-24 | 9.0 HIGH | 8.8 HIGH |
| app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any commands on the host as www-data. | |||||
| CVE-2019-15029 | 1 Fusionpbx | 1 Fusionpbx | 2020-08-24 | 9.0 HIGH | 8.8 HIGH |
| FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request with the service id followed by the parameter a=start to execute the stored command. | |||||
| CVE-2019-19367 | 1 Fusionpbx | 1 Fusionpbx | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | |||||
| CVE-2019-19366 | 1 Fusionpbx | 1 Fusionpbx | 2019-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_search.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter. | |||||