CVE-2019-16987

In FusionPBX up to v4.5.7, the file app\contacts\contactimport.php uses an unsanitized "querystring" variable coming from the URL, which is reflected in HTML, leading to XSS...

CVE-2019-16978

In FusionPBX up to v4.5.7, the file app\devices\devicesettings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS...

CVE-2019-16981

In FusionPBX up to v4.5.7, the file app\conferenceprofiles\conferenceprofileparams.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS...

CVE-2019-16990

In FusionPBX up to v4.5.7, the file app/musiconhold/musiconhold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname base64 encoded and allows a download of it...

CVE-2019-16976

In FusionPBX up to 4.5.7, the file app\destinations\destinationimports.php uses an unsanitized "querystring" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS...

CVE-2019-16986

In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. resources\securedownload.php is also affected...

EUVD-2019-7463

Malware in sbrugna...

EUVD-2019-7454

Malware in sbrugna...

EUVD-2019-8988

Malware in sbrugna...

EUVD-2019-7464

Malware in sbrugna...

EUVD-2019-7468

Malware in sbrugna...

EUVD-2019-7462

Malware in sbrugna...

EUVD-2021-30338

Malicious code in bioql PyPI...

EUVD-2021-30341

Malicious code in bioql PyPI...

CVE-2021-37524

Cross Site Scripting XSS vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php...

CVE-2021-43404

An issue was discovered in FusionPBX before 4.5.30. The FAX file name may have risky characters...

CVE-2020-21056

Directory Traversal vulnerability exists in FusionPBX 4.5.7, which allows a remote malicious user to create folders via the folder variale to app\edit\foldernew.php...

CVE-2019-16965

resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data...

CVE-2019-15029

FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the serviceedit.php file which will insert the malicious command into the database. To trigger the command, one needs to call the services.php file via a GET request with the service id...

CVE-2019-19387

A cross-site scripting XSS vulnerability in app/fifolist/fifointeractive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter...