CVE-2019-11409

Name of the Vulnerable Software and Affected Versions FusionPBX version 4.4.3

Description The issue arises from a command injection vulnerability in the Operator Panel module due to insufficient input validation. This allows authenticated non-administrative attackers to execute commands on the host, potentially leading to remote code execution when combined with an existing XSS vulnerability in the same module.

Recommendations For FusionPBX version 4.4.3, consider disabling the exec.php file in the Operator Panel module as a temporary workaround until a patch is available. Restrict access to the Operator Panel module to minimize the risk of exploitation. Avoid using the Operator Panel module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.