First published: Mon Oct 21 2019(Updated: )
In FusionPBX up to 4.5.7, the file app\sip_status\sip_status.php uses an unsanitized "savemsg" variable coming from the URL, which is reflected in HTML, leading to XSS.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Fusionpbx Fusionpbx | <=4.5.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-16970 is a vulnerability in FusionPBX up to version 4.5.7 that allows for cross-site scripting (XSS) attacks.
CVE-2019-16970 allows an attacker to inject malicious code into HTML pages, potentially leading to unauthorized access or data theft.
The severity of CVE-2019-16970 is medium, with a CVSS score of 6.1.
To fix CVE-2019-16970, upgrade FusionPBX to version 4.5.8 or above, which includes the necessary patch for this vulnerability.
You can find more information about CVE-2019-16970 and the patch in the following references: [Link 1](https://github.com/fusionpbx/fusionpbx/commit/a55f1cd5d8edd655058152e9acf212680d5b75f3), [Link 2](https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-3/)