Vendor CVEs
FusionPBX
All CVEs
52 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-15029 | Hig | 0.61 | 8.8 | 0.12 | Sep 5, 2019 | FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request… | ||
| CVE-2019-16980 | Hig | 0.50 | 8.8 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection. | ||
| CVE-2019-16965 | Hig | 0.40 | 7.2 | 0.03 | Oct 21, 2019 | resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data. | ||
| CVE-2019-16986 | Med | 0.35 | 6.5 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.) | ||
| CVE-2019-16985 | Med | 0.35 | 6.5 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system. | ||
| CVE-2019-16990 | Med | 0.35 | 6.5 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it. | ||
| CVE-2019-16977 | Med | 0.33 | 6.1 | 0.01 | Oct 23, 2019 | In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16975 | Med | 0.33 | 6.1 | 0.01 | Oct 23, 2019 | In FusionPBX up to 4.5.7, the file app\contacts\contact_notes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16976 | Med | 0.33 | 6.1 | 0.01 | Oct 23, 2019 | In FusionPBX up to 4.5.7, the file app\destinations\destination_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | ||
| CVE-2019-16973 | Med | 0.33 | 6.1 | 0.01 | Oct 22, 2019 | In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16972 | Med | 0.33 | 6.1 | 0.01 | Oct 22, 2019 | In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16971 | Med | 0.33 | 6.1 | 0.01 | Oct 22, 2019 | In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | ||
| CVE-2019-16974 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16969 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16970 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to 4.5.7, the file app\sip_status\sip_status.php uses an unsanitized "savemsg" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16968 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | An issue was discovered in FusionPBX up to 4.5.7. In the file app\conference_controls\conference_control_details.php, an unsanitized id variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS. | ||
| CVE-2019-16991 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16989 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16988 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS. | ||
| CVE-2019-16987 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16984 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS. | ||
| CVE-2019-16983 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS. | ||
| CVE-2019-16982 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16981 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | ||
| CVE-2019-16979 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. | ||
| CVE-2019-16978 | Med | 0.33 | 6.1 | 0.01 | Oct 21, 2019 | In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. | ||
| CVE-2024-23387 | Med | 0.31 | 4.8 | 0.00 | Jan 19, 2024 | FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product. | ||
| CVE-2019-11409 | Hig | 0.10 | 8.8 | 0.87 | Jun 17, 2019 | app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote… | ||
| CVE-2021-43405 | Hig | 0.06 | 8.8 | 0.36 | Nov 5, 2021 | An issue was discovered in FusionPBX before 4.5.30. The fax_extension may have risky characters (it is not constrained to be numeric). | ||
| CVE-2019-11408 | Med | 0.01 | 6.1 | 0.07 | Jun 17, 2019 | XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code… | ||
| CVE-2024-24539 | Med | 0.00 | 5.3 | 0.01 | Mar 18, 2024 | FusionPBX before 5.2.0 does not validate a session. | ||
| CVE-2021-43403 | Med | 0.00 | 6.5 | 0.01 | Sep 29, 2022 | An issue was discovered in FusionPBX before 4.5.30. The log_viewer.php Log View page allows an authenticated user to choose an arbitrary filename for download (i.e., not necessarily freeswitch.log in the intended directory). | ||
| CVE-2022-35153 | Cri | 0.00 | 9.8 | 0.02 | Aug 18, 2022 | FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php. | ||
| CVE-2021-37524 | Med | 0.00 | 6.1 | 0.01 | Jul 1, 2022 | Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php. | ||
| CVE-2022-28055 | Cri | 0.00 | 9.8 | 0.01 | May 4, 2022 | Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function. | ||
| CVE-2021-43406 | Hig | 0.00 | 8.8 | 0.01 | Nov 5, 2021 | An issue was discovered in FusionPBX before 4.5.30. The fax_post_size may have risky characters (it is not constrained to preset values). | ||
| CVE-2021-43404 | Hig | 0.00 | 8.8 | 0.01 | Nov 5, 2021 | An issue was discovered in FusionPBX before 4.5.30. The FAX file name may have risky characters. | ||
| CVE-2020-21057 | Hig | 0.00 | 8.1 | 0.02 | May 20, 2021 | Directory Traversal vulnerability in FusionPBX 4.5.7, which allows a remote malicious user to delete folders on the system via the folder variable to app/edit/folderdelete.php. | ||
| CVE-2020-21056 | Med | 0.00 | 4.3 | 0.01 | May 20, 2021 | Directory Traversal vulnerability exists in FusionPBX 4.5.7, which allows a remote malicious user to create folders via the folder variale to app\edit\foldernew.php. | ||
| CVE-2020-21055 | Med | 0.00 | 6.5 | 0.01 | May 20, 2021 | A Directory Traversal vulnerability exists in FusionPBX 4.5.7 allows malicoius users to rename any file of the system.via the (1) folder, (2) filename, and (3) newfilename variables in app\edit\filerename.php. | ||
| CVE-2020-21054 | Med | 0.00 | 6.1 | 0.01 | May 20, 2021 | Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "f" variable in app\vars\vars_textarea.php. | ||
| CVE-2020-21053 | Med | 0.00 | 6.1 | 0.01 | May 20, 2021 | Cross Site Scriptiong (XSS) vulnerability exists in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "query_string" variable in app\devices\device_imports.php. | ||
| CVE-2019-19388 | Med | 0.00 | 6.1 | 0.01 | Nov 29, 2019 | A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter. | ||
| CVE-2019-19387 | Med | 0.00 | 6.1 | 0.01 | Nov 29, 2019 | A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter. | ||
| CVE-2019-19386 | Med | 0.00 | 6.1 | 0.01 | Nov 29, 2019 | A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter. | ||
| CVE-2019-19385 | Med | 0.00 | 6.1 | 0.01 | Nov 29, 2019 | A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter. | ||
| CVE-2019-19384 | Med | 0.00 | 6.1 | 0.01 | Nov 29, 2019 | A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter. | ||
| CVE-2019-19367 | Med | 0.00 | 6.1 | 0.01 | Nov 27, 2019 | A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | ||
| CVE-2019-19366 | Med | 0.00 | 6.1 | 0.01 | Nov 27, 2019 | A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_search.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter. | ||
| CVE-2019-16964 | Hig | 0.00 | 8.8 | 0.02 | Oct 21, 2019 | app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit)… |
- risk 0.61cvss 8.8epss 0.12
FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request…
- risk 0.50cvss 8.8epss 0.01
In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection.
- risk 0.40cvss 7.2epss 0.03
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
- risk 0.35cvss 6.5epss 0.01
In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)
- risk 0.35cvss 6.5epss 0.01
In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.
- risk 0.35cvss 6.5epss 0.01
In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to 4.5.7, the file app\contacts\contact_notes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to 4.5.7, the file app\destinations\destination_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to 4.5.7, the file app\sip_status\sip_status.php uses an unsanitized "savemsg" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
An issue was discovered in FusionPBX up to 4.5.7. In the file app\conference_controls\conference_control_details.php, an unsanitized id variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to v4.5.7, the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
- risk 0.33cvss 6.1epss 0.01
In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
- risk 0.31cvss 4.8epss 0.00
FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product.
- risk 0.10cvss 8.8epss 0.87
app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote…
- risk 0.06cvss 8.8epss 0.36
An issue was discovered in FusionPBX before 4.5.30. The fax_extension may have risky characters (it is not constrained to be numeric).
- risk 0.01cvss 6.1epss 0.07
XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code…
- risk 0.00cvss 5.3epss 0.01
FusionPBX before 5.2.0 does not validate a session.
- risk 0.00cvss 6.5epss 0.01
An issue was discovered in FusionPBX before 4.5.30. The log_viewer.php Log View page allows an authenticated user to choose an arbitrary filename for download (i.e., not necessarily freeswitch.log in the intended directory).
- risk 0.00cvss 9.8epss 0.02
FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php.
- risk 0.00cvss 6.1epss 0.01
Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php.
- risk 0.00cvss 9.8epss 0.01
Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function.
- risk 0.00cvss 8.8epss 0.01
An issue was discovered in FusionPBX before 4.5.30. The fax_post_size may have risky characters (it is not constrained to preset values).
- risk 0.00cvss 8.8epss 0.01
An issue was discovered in FusionPBX before 4.5.30. The FAX file name may have risky characters.
- risk 0.00cvss 8.1epss 0.02
Directory Traversal vulnerability in FusionPBX 4.5.7, which allows a remote malicious user to delete folders on the system via the folder variable to app/edit/folderdelete.php.
- risk 0.00cvss 4.3epss 0.01
Directory Traversal vulnerability exists in FusionPBX 4.5.7, which allows a remote malicious user to create folders via the folder variale to app\edit\foldernew.php.
- risk 0.00cvss 6.5epss 0.01
A Directory Traversal vulnerability exists in FusionPBX 4.5.7 allows malicoius users to rename any file of the system.via the (1) folder, (2) filename, and (3) newfilename variables in app\edit\filerename.php.
- risk 0.00cvss 6.1epss 0.01
Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "f" variable in app\vars\vars_textarea.php.
- risk 0.00cvss 6.1epss 0.01
Cross Site Scriptiong (XSS) vulnerability exists in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "query_string" variable in app\devices\device_imports.php.
- risk 0.00cvss 6.1epss 0.01
A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter.
- risk 0.00cvss 6.1epss 0.01
A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter.
- risk 0.00cvss 6.1epss 0.01
A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter.
- risk 0.00cvss 6.1epss 0.01
A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter.
- risk 0.00cvss 6.1epss 0.01
A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter.
- risk 0.00cvss 6.1epss 0.01
A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
- risk 0.00cvss 6.1epss 0.01
A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_search.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.
- risk 0.00cvss 8.8epss 0.02
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit)…
Page 1 of 2