fusionpbx CVE Vulnerabilities & CVE List (52)

Products (CPE): — CVEs: 52

fusionpbx vulnerability overview

Aggregates CVE and security vulnerability intelligence across all fusionpbx-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.

Historical issues mainly involve vendor risk cross-site scripting, vendor risk path handling, vendor risk sql injection, and vendor risk input validation and related problems; some flaws may lead to vendor impact file overwrite.

Vulnerability distribution trend (last 24 months)

Showing 4152 of 52 CVEs
«« First « Prev Page 3 / 3 Next »
CVE Summary Source Max CVSS EPSS % Published Updated
CVE-2019-16983 In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS. [email protected] 6.1 0.80% 2019-10-21 2026-06-16
CVE-2019-16982 In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. [email protected] 6.1 0.80% 2019-10-21 2026-06-16
CVE-2019-16981 In FusionPBX up to v4.5.7, the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. [email protected] 6.1 0.80% 2019-10-21 2026-06-16
CVE-2019-16990 In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it. [email protected] 6.5 1.28% 2019-10-21 2026-06-16
CVE-2019-16980 In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection. [email protected] 8.8 1.20% 2019-10-21 2026-06-16
CVE-2019-16979 In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS. [email protected] 6.1 0.82% 2019-10-21 2026-06-16
CVE-2019-16978 In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS. [email protected] 6.1 0.86% 2019-10-21 2026-06-16
CVE-2019-15029 FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request with the service id followed by the parameter a=start to execute the stored command. [email protected] 8.8 12.32% 2019-09-05 2026-06-16
CVE-2019-11410 app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute commands on the host. [email protected] 7.2 3.38% 2019-06-17 2026-06-16
CVE-2019-11409 app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module. [email protected] 8.8 87.48% 2019-06-17 2026-06-16
CVE-2019-11408 XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX. [email protected] 6.1 6.87% 2019-06-17 2026-06-16
CVE-2019-11407 app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 suffers from an information disclosure vulnerability due to excessive debug information, which allows authenticated administrative attackers to obtain credentials and other sensitive information. [email protected] 7.2 1.54% 2019-06-17 2026-06-16
«« First « Prev Page 3 / 3 Next »
cvelogic Threat Intelligence