CVE-2019-16984

Name of the Vulnerable Software and Affected Versions FusionPBX versions prior to 4.5.8

Description The issue concerns an unsanitized filename variable in the recording play.php file, which is base64 decoded and reflected in HTML. This leads to a potential XSS issue.

Recommendations For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the recording play.php file to minimize the risk of exploitation. Avoid using the filename variable in the affected API endpoint until the issue is resolved.