First published: Mon Oct 21 2019(Updated: )
In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Fusionpbx Fusionpbx | <=4.5.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-16991 is rated as medium with a CVSS score of 6.1.
CVE-2019-16991 impacts FusionPBX up to version 4.5.7 by allowing XSS attacks through the unsanitized 'file' variable in the file app\edit\filedelete.php.
To fix the XSS vulnerability in FusionPBX related to CVE-2019-16991, update to a version beyond 4.5.7 that contains the necessary security patches.