Command Injection Vulnerability in FusionPBX up to 4.5.7 Allows Remote Code Execution as www-data

Command Injection Vulnerability in FusionPBX up to 4.5.7 Allows Remote Code Execution as www-data

CVE-2019-16965 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.

Learn more about our Web Application Penetration Testing UK.