FusionPBX
by FusionPBX
CVEs (40)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-11409 | 0.10 | — | 0.86 | Jun 17, 2019 | app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote… | |||
| CVE-2019-15029 | 0.05 | — | 0.21 | Sep 5, 2019 | FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request… | |||
| CVE-2019-11410 | 0.01 | — | 0.08 | Jun 17, 2019 | app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute commands on the host. | |||
| CVE-2024-24539 | 0.00 | — | 0.00 | Mar 18, 2024 | FusionPBX before 5.2.0 does not validate a session. | |||
| CVE-2024-23387 | 0.00 | — | 0.00 | Jan 19, 2024 | FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product. | |||
| CVE-2019-19384 | 0.00 | — | 0.00 | Nov 28, 2019 | A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter. | |||
| CVE-2019-19385 | 0.00 | — | 0.00 | Nov 28, 2019 | A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter. | |||
| CVE-2019-19386 | 0.00 | — | 0.00 | Nov 28, 2019 | A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter. | |||
| CVE-2019-19387 | 0.00 | — | 0.00 | Nov 28, 2019 | A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter. | |||
| CVE-2019-19388 | 0.00 | — | 0.00 | Nov 28, 2019 | A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter. | |||
| CVE-2019-19366 | 0.00 | — | 0.00 | Nov 27, 2019 | A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_search.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter. | |||
| CVE-2019-19367 | 0.00 | — | 0.00 | Nov 27, 2019 | A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | |||
| CVE-2019-16977 | 0.00 | — | 0.00 | Oct 23, 2019 | In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||
| CVE-2019-16975 | 0.00 | — | 0.00 | Oct 23, 2019 | In FusionPBX up to 4.5.7, the file app\contacts\contact_notes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||
| CVE-2019-16976 | 0.00 | — | 0.00 | Oct 23, 2019 | In FusionPBX up to 4.5.7, the file app\destinations\destination_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | |||
| CVE-2019-16973 | 0.00 | — | 0.00 | Oct 22, 2019 | In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||
| CVE-2019-16972 | 0.00 | — | 0.00 | Oct 22, 2019 | In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||
| CVE-2019-16971 | 0.00 | — | 0.00 | Oct 22, 2019 | In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | |||
| CVE-2019-16974 | 0.00 | — | 0.00 | Oct 21, 2019 | In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | |||
| CVE-2019-16969 | 0.00 | — | 0.00 | Oct 21, 2019 | In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. |
- CVE-2019-11409Jun 17, 2019risk 0.10cvss —epss 0.86
app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote…
- CVE-2019-15029Sep 5, 2019risk 0.05cvss —epss 0.21
FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request…
- CVE-2019-11410Jun 17, 2019risk 0.01cvss —epss 0.08
app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute commands on the host.
- CVE-2024-24539Mar 18, 2024risk 0.00cvss —epss 0.00
FusionPBX before 5.2.0 does not validate a session.
- CVE-2024-23387Jan 19, 2024risk 0.00cvss —epss 0.00
FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product.
- CVE-2019-19384Nov 28, 2019risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter.
- CVE-2019-19385Nov 28, 2019risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter.
- CVE-2019-19386Nov 28, 2019risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter.
- CVE-2019-19387Nov 28, 2019risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter.
- CVE-2019-19388Nov 28, 2019risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter.
- CVE-2019-19366Nov 27, 2019risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_search.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.
- CVE-2019-19367Nov 27, 2019risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
- CVE-2019-16977Oct 23, 2019risk 0.00cvss —epss 0.00
In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
- CVE-2019-16975Oct 23, 2019risk 0.00cvss —epss 0.00
In FusionPBX up to 4.5.7, the file app\contacts\contact_notes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
- CVE-2019-16976Oct 23, 2019risk 0.00cvss —epss 0.00
In FusionPBX up to 4.5.7, the file app\destinations\destination_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
- CVE-2019-16973Oct 22, 2019risk 0.00cvss —epss 0.00
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
- CVE-2019-16972Oct 22, 2019risk 0.00cvss —epss 0.00
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
- CVE-2019-16971Oct 22, 2019risk 0.00cvss —epss 0.00
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
- CVE-2019-16974Oct 21, 2019risk 0.00cvss —epss 0.00
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
- CVE-2019-16969Oct 21, 2019risk 0.00cvss —epss 0.00
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
Page 1 of 2