Shodan
Vulnerabilities
Vulnerable Software
Fusionpbx:  >> Fusionpbx  >> 4.4.8  Security Vulnerabilities
CVE-2024-24539
FusionPBX before 5.2.0 does not validate a session.
CVSS Score
5.3
EPSS Score
0.0
Published
2024-03-18
CVE-2024-23387
FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product.
CVSS Score
4.8
EPSS Score
0.001
Published
2024-01-19
CVE-2021-43403
An issue was discovered in FusionPBX before 4.5.30. The log_viewer.php Log View page allows an authenticated user to choose an arbitrary filename for download (i.e., not necessarily freeswitch.log in the intended directory).
CVSS Score
6.5
EPSS Score
0.004
Published
2022-09-29
CVE-2021-37524
Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php.
CVSS Score
6.1
EPSS Score
0.009
Published
2022-07-01
CVE-2021-43404
An issue was discovered in FusionPBX before 4.5.30. The FAX file name may have risky characters.
CVSS Score
8.8
EPSS Score
0.004
Published
2021-11-05
CVE-2021-43405
An issue was discovered in FusionPBX before 4.5.30. The fax_extension may have risky characters (it is not constrained to be numeric).
CVSS Score
8.8
EPSS Score
0.112
Published
2021-11-05
CVE-2021-43406
An issue was discovered in FusionPBX before 4.5.30. The fax_post_size may have risky characters (it is not constrained to preset values).
CVSS Score
8.8
EPSS Score
0.004
Published
2021-11-05
CVE-2019-16977
In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-23
CVE-2019-16975
In FusionPBX up to 4.5.7, the file app\contacts\contact_notes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-23
CVE-2019-16976
In FusionPBX up to 4.5.7, the file app\destinations\destination_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-23


Products
Pricing
Contact Us

Shodan ® - All rights reserved