First published: Tue Oct 22 2019(Updated: )
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Fusionpbx Fusionpbx | <=4.5.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-16972 is a vulnerability in FusionPBX up to version 4.5.7 that allows for cross-site scripting (XSS) attacks.
CVE-2019-16972 affects FusionPBX up to version 4.5.7 by allowing an attacker to execute malicious code through cross-site scripting (XSS).
The severity of CVE-2019-16972 is medium, with a CVSSv3 score of 6.1.
To fix CVE-2019-16972, you should update FusionPBX to version 4.5.8 or higher, which includes a patch for the vulnerability.
You can find more information about CVE-2019-16972 at the following links: [GitHub Commit](https://github.com/fusionpbx/fusionpbx/commit/913ad234cf145a55e5f2faaab08d776d83c1699b) and [Resp3ct Blog](https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-5/).