CVE-2019-16986

Published October 21st, 2019

View on NVD ↗

CVSS v3

6.5

MEDIUM

CVSS v2

MEDIUM

Affected

PROJECT

Description

In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)

fusionpbx/fusionpbx

Official FusionPBX - A full-featured domain based multi-tenant PBX and voice switch for FreeSwitch.

GitHub

1.01K