Skip to main content

Fusionpbx CVE-2024-23387

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-01-19 vultures@jpcert.or.jp
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 19, 2024 - 04:15 nvd
MEDIUM 4.8

DescriptionNVD

FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product.

AnalysisAI

FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product. Affected products include: Fusionpbx. Version information: prior to 5.1.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2019-11409 HIGH POC
8.8 Jun 17

app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerabili

CVE-2021-43405 HIGH POC
8.8 Nov 05

An issue was discovered in FusionPBX before 4.5.30. Rated high severity (CVSS 8.8), this vulnerability is remotely explo

CVE-2019-15029 HIGH POC
8.8 Sep 05

FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service

CVE-2019-19388 MEDIUM POC
6.1 Nov 29

A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote at

CVE-2019-19387 MEDIUM POC
6.1 Nov 29

A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attack

CVE-2019-19386 MEDIUM POC
6.1 Nov 29

A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 all

CVE-2019-19385 MEDIUM POC
6.1 Nov 29

A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to

CVE-2019-19384 MEDIUM POC
6.1 Nov 29

A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inj

CVE-2019-19367 MEDIUM POC
6.1 Nov 27

A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject

CVE-2019-19366 MEDIUM POC
6.1 Nov 27

A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_search.php in FusionPBX 4.4.1 allows remote attackers

CVE-2019-11408 MEDIUM POC
6.1 Jun 17

XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated at

CVE-2022-35153 CRITICAL
9.8 Aug 18

FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php. Rated critical severi

Share

CVE-2024-23387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy