First published: Mon Oct 21 2019(Updated: )
In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Fusionpbx Fusionpbx | <=4.5.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-16986 is a vulnerability in FusionPBX up to v4.5.7 that allows a download of any pathname.
CVE-2019-16986 affects FusionPBX up to v4.5.7, specifically the file resources\download.php and resources\secure_download.php.
CVE-2019-16986 has a severity rating of medium with a CVSS score of 6.5.
To fix CVE-2019-16986 in FusionPBX, apply the latest patch or update to a version higher than v4.5.7.
The CWE ID for CVE-2019-16986 is CWE-22.