CVE-2019-11407

Vulnerability

The Operator Panel module in FusionPBX 4.4.3 includes app/operator_panel/index_inc.php that exposes excessive debug information. This occurs when the application is configured to show debug output, which is enabled by default in certain administrative contexts. The affected file logs or displays detailed error messages containing sensitive data, including credentials.

Exploitation

An attacker with authenticated administrative access to the FusionPBX web interface can trigger the debug output by accessing the Operator Panel module. No special privileges beyond standard admin rights are required. The attacker simply navigates to the vulnerable page, and the debug information is rendered in the response.

Impact

Successful exploitation leads to information disclosure, revealing credentials (such as database passwords, API keys) and other sensitive configuration details. This can allow the attacker to escalate privileges, access other systems, or compromise the FusionPBX installation further.

Mitigation

The issue is fixed in commit f38676b7b63bb1ec3a68d577fe23e6701f482aef [1]. Users should update FusionPBX to a version that includes this commit or disable debug output in production environments. As of the publication date, no official release containing the fix has been announced, so applying the patch manually or awaiting an updated release is recommended.