Xax007

**Name of the Vulnerable Software and Affected Versions** FusionPBX version 4.4.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `app uuid` parameter in the "app/dialplans/dialplans.php" endpoint. **Recommendations** For FusionPBX version 4.4.1, avoid using the `app uuid` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FusionPBX version 4.4.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. This is achieved via the `c` parameter in the `/app/fifo list/fifo interactive.php` API endpoint. **Recommendations** For FusionPBX version 4.4.1, consider disabling the `c` parameter in the `/app/fifo list/fifo interactive.php` endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FusionPBX version 4.4.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `dialplan uuid` parameter in the `/app/dialplans/dialplan detail edit.php` endpoint. **Recommendations** For FusionPBX version 4.4.1, avoid using the `dialplan uuid` parameter in the `/app/dialplans/dialplan detail edit.php` endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FusionPBX version 4.4.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `fax uuid` parameter in the `/app/fax/fax log view.php` API endpoint. **Recommendations** For FusionPBX version 4.4.1, avoid using the `fax uuid` parameter in the `/app/fax/fax log view.php` endpoint until the issue is resolved. Consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FusionPBX version 4.4.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `id` and/or `voicemail id` parameters in the `voicemail greeting edit.php` file. **Recommendations** For FusionPBX version 4.4.1, consider restricting access to the `voicemail greeting edit.php` file until a patch is available. Avoid using the `id` and `voicemail id` parameters in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FusionPBX version 4.4.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `id` parameter in the `/app/fax/fax files.php` endpoint. **Recommendations** For FusionPBX version 4.4.1, avoid using the `id` parameter in the `/app/fax/fax files.php` endpoint until the issue is resolved. Consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FusionPBX version 4.4.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter in the `/app/xml cdr/xml cdr search.php` API endpoint. **Recommendations** For FusionPBX version 4.4.1, as a temporary workaround, consider restricting access to the `/app/xml cdr/xml cdr search.php` endpoint until a patch is available. Avoid using the `redirect` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.