CVE-2019-16983
MEDIUMFusionPBX < 4.5.7 - Cross-Site Scripting via Paging Function
Title source: llmDescription
In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS.
References (2)
Core 2
Core References
Patch x_refsource_misc
https://github.com/fusionpbx/fusionpbx/commit/23581e56e9a4d1685ddf1c7d67137417d654e134
Third Party Advisory x_refsource_misc
https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-15/
Scores
CVSS v3
6.1
EPSS
0.0080
EPSS Percentile
51.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
fusionpbx/fusionpbx
< 4.5.7
Published
Oct 21, 2019
Tracked Since
Feb 18, 2026