CVE-2019-16964

Name of the Vulnerable Software and Affected Versions FusionPBX versions up to 4.5.7

Description The issue arises from a lack of input validation in the Call Center Queue Module, specifically in the app/call centers/cmd.php file. This allows authenticated attackers with certain permissions to execute commands on the host. The permissions required for exploitation are call center queue add or call center queue edit.

Recommendations For FusionPBX versions up to 4.5.7, update to a version that includes a fix for this issue to prevent command injection attacks. As a temporary workaround, consider restricting access to the Call Center Queue Module for users with the call center queue add or call center queue edit permissions until a patch is available.