Unsanitized file Variable in FusionPBX up to v4.5.7 Allows XSS via app\edit\filedelete.php
CVE-2019-16991 · MEDIUM Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.
Learn more about our Web Application Penetration Testing UK.