CVE-2019-16991

MEDIUM

FusionPBX < 4.5.7 - Cross-Site Scripting via Unsanitized File Parameter

Title source: llm
STIX 2.1

Description

In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.0080
EPSS Percentile 51.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
fusionpbx/fusionpbx < 4.5.7
Published Oct 21, 2019
Tracked Since Feb 18, 2026