Vulnerability Details CVE-2019-16985
In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 61.6%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 8.5
Products affected by CVE-2019-16985
-
cpe:2.3:a:fusionpbx:fusionpbx:4.0.0
-
cpe:2.3:a:fusionpbx:fusionpbx:4.2
-
cpe:2.3:a:fusionpbx:fusionpbx:4.2.1
-
cpe:2.3:a:fusionpbx:fusionpbx:4.2.2
-
cpe:2.3:a:fusionpbx:fusionpbx:4.4.0
-
cpe:2.3:a:fusionpbx:fusionpbx:4.4.1
-
cpe:2.3:a:fusionpbx:fusionpbx:4.4.3
-
cpe:2.3:a:fusionpbx:fusionpbx:4.4.8
-
cpe:2.3:a:fusionpbx:fusionpbx:4.5.7