$Unsanitized file Variable in FusionPBX up to v4.5.7 Allows XSS via app\edit\filedelete.php$

Unsanitized file Variable in FusionPBX up to v4.5.7 Allows XSS via app\edit\filedelete.php

CVE-2019-16991 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.

Learn more about our Web Application Penetration Testing UK.