CVE-2019-15029

Name of the Vulnerable Software and Affected Versions FusionPBX version 4.4.8

Description The issue allows an attacker to execute arbitrary system commands. This is achieved by submitting a malicious command to the service edit.php file, which inserts the command into the database. The stored command can be triggered by calling the services.php file via a GET request with the service id followed by the parameter a=start.

Recommendations For FusionPBX version 4.4.8, as a temporary workaround, consider restricting access to the services.php file and the service edit.php file to minimize the risk of exploitation. Avoid using the parameter a=start in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.