Fusionpbx

fusionpbx

Vendor: Fusionpbx • 52 CVEs

CVEs (52)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-24539 1Fusionpbx 1Fusionpbx May 23, 2025 Mar 18, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 FusionPBX before 5.2.0 does not validate a session.
CVE-2024-23387 1Fusionpbx 1Fusionpbx May 30, 2025 Jan 19, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the w...Show more FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product.Show less
CVE-2021-43403 1Fusionpbx 1Fusionpbx Nov 21, 2024 Sep 29, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue was discovered in FusionPBX before 4.5.30. The log_viewer.php Log View page allows an authenticated user to choose an arbitrary filename for download (i.e., not necessarily freeswitch.log in the intended directo...Show more An issue was discovered in FusionPBX before 4.5.30. The log_viewer.php Log View page allows an authenticated user to choose an arbitrary filename for download (i.e., not necessarily freeswitch.log in the intended directory).Show less
CVE-2022-35153 1Fusionpbx 1Fusionpbx Nov 21, 2024 Aug 18, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php.
CVE-2021-37524 1Fusionpbx 1Fusionpbx Nov 21, 2024 Jul 1, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php.
CVE-2022-28055 1Fusionpbx 1Fusionpbx Nov 21, 2024 May 4, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function.
CVE-2021-43406 1Fusionpbx 1Fusionpbx Nov 21, 2024 Nov 5, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in FusionPBX before 4.5.30. The fax_post_size may have risky characters (it is not constrained to preset values).
CVE-2021-43405 1Fusionpbx 1Fusionpbx Nov 21, 2024 Nov 5, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in FusionPBX before 4.5.30. The fax_extension may have risky characters (it is not constrained to be numeric).
CVE-2021-43404 1Fusionpbx 1Fusionpbx Nov 21, 2024 Nov 5, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in FusionPBX before 4.5.30. The FAX file name may have risky characters.
CVE-2020-21057 1Fusionpbx 1Fusionpbx Nov 21, 2024 May 20, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Directory Traversal vulnerability in FusionPBX 4.5.7, which allows a remote malicious user to delete folders on the system via the folder variable to app/edit/folderdelete.php.
CVE-2020-21056 1Fusionpbx 1Fusionpbx Nov 21, 2024 May 20, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Directory Traversal vulnerability exists in FusionPBX 4.5.7, which allows a remote malicious user to create folders via the folder variale to app\edit\foldernew.php.
CVE-2020-21055 1Fusionpbx 1Fusionpbx Nov 21, 2024 May 20, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A Directory Traversal vulnerability exists in FusionPBX 4.5.7 allows malicoius users to rename any file of the system.via the (1) folder, (2) filename, and (3) newfilename variables in app\edit\filerename.php.
CVE-2020-21054 1Fusionpbx 1Fusionpbx Nov 21, 2024 May 20, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "f" variable in app\vars\vars_textarea.php.
CVE-2020-21053 1Fusionpbx 1Fusionpbx Nov 21, 2024 May 20, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross Site Scriptiong (XSS) vulnerability exists in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "query_string" variable in app\devices\device_imports.php.
CVE-2019-19388 1Fusionpbx 1Fusionpbx Nov 21, 2024 Nov 29, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter.
CVE-2019-19387 1Fusionpbx 1Fusionpbx Nov 21, 2024 Nov 29, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter.
CVE-2019-19386 1Fusionpbx 1Fusionpbx Nov 21, 2024 Nov 29, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter...Show more A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter.Show less
CVE-2019-19385 1Fusionpbx 1Fusionpbx Nov 21, 2024 Nov 29, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter.
CVE-2019-19384 1Fusionpbx 1Fusionpbx Nov 21, 2024 Nov 29, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter.
CVE-2019-19367 1Fusionpbx 1Fusionpbx Nov 21, 2024 Nov 27, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter.

12 3 Next