彙總 fusionpbx 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本、路徑處理缺陷、SQL 注入與輸入驗證問題,在 生產負載與軟體部署 使用場景中可能帶來 檔案覆寫、異常行為與資料外洩 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2024-24539 | FusionPBX before 5.2.0 does not validate a session. | [email protected] | 5.3 | 0.05% | 2024-03-18 | 2025-05-23 |
| CVE-2024-23387 | FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product. | [email protected] | 4.8 | 0.10% | 2024-01-19 | 2025-05-30 |
| CVE-2021-43403 | An issue was discovered in FusionPBX before 4.5.30. The log_viewer.php Log View page allows an authenticated user to choose an arbitrary filename for download (i.e., not necessarily freeswitch.log in the intended directory). | [email protected] | 6.5 | 0.62% | 2022-09-29 | 2024-11-21 |
| CVE-2022-35153 | FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php. | [email protected] | 9.8 | 4.42% | 2022-08-18 | 2024-11-21 |
| CVE-2021-37524 | Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php. | [email protected] | 6.1 | 0.95% | 2022-07-01 | 2024-11-21 |
| CVE-2022-28055 | Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function. | [email protected] | 9.8 | 5.33% | 2022-05-04 | 2024-11-21 |
| CVE-2021-43406 | An issue was discovered in FusionPBX before 4.5.30. The fax_post_size may have risky characters (it is not constrained to preset values). | [email protected] | 8.8 | 0.40% | 2021-11-05 | 2024-11-21 |
| CVE-2021-43405 | An issue was discovered in FusionPBX before 4.5.30. The fax_extension may have risky characters (it is not constrained to be numeric). | [email protected] | 8.8 | 5.24% | 2021-11-05 | 2024-11-21 |
| CVE-2021-43404 | An issue was discovered in FusionPBX before 4.5.30. The FAX file name may have risky characters. | [email protected] | 8.8 | 0.40% | 2021-11-05 | 2024-11-21 |
| CVE-2020-21057 | Directory Traversal vulnerability in FusionPBX 4.5.7, which allows a remote malicious user to delete folders on the system via the folder variable to app/edit/folderdelete.php. | [email protected] | 8.1 | 1.26% | 2021-05-20 | 2024-11-21 |
| CVE-2020-21056 | Directory Traversal vulnerability exists in FusionPBX 4.5.7, which allows a remote malicious user to create folders via the folder variale to app\edit\foldernew.php. | [email protected] | 4.3 | 1.04% | 2021-05-20 | 2024-11-21 |
| CVE-2020-21055 | A Directory Traversal vulnerability exists in FusionPBX 4.5.7 allows malicoius users to rename any file of the system.via the (1) folder, (2) filename, and (3) newfilename variables in app\edit\filerename.php. | [email protected] | 6.5 | 1.41% | 2021-05-20 | 2024-11-21 |
| CVE-2020-21054 | Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "f" variable in app\vars\vars_textarea.php. | [email protected] | 6.1 | 0.33% | 2021-05-20 | 2024-11-21 |
| CVE-2020-21053 | Cross Site Scriptiong (XSS) vulnerability exists in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "query_string" variable in app\devices\device_imports.php. | [email protected] | 6.1 | 0.33% | 2021-05-20 | 2024-11-21 |
| CVE-2019-19388 | A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter. | [email protected] | 6.1 | 0.43% | 2019-11-29 | 2024-11-21 |
| CVE-2019-19387 | A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter. | [email protected] | 6.1 | 0.43% | 2019-11-29 | 2024-11-21 |
| CVE-2019-19386 | A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter. | [email protected] | 6.1 | 0.43% | 2019-11-29 | 2024-11-21 |
| CVE-2019-19385 | A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter. | [email protected] | 6.1 | 0.43% | 2019-11-29 | 2024-11-21 |
| CVE-2019-19384 | A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter. | [email protected] | 6.1 | 0.43% | 2019-11-29 | 2024-11-21 |
| CVE-2019-19367 | A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. | [email protected] | 6.1 | 0.43% | 2019-11-27 | 2024-11-21 |