PT-2019-14884 · Fusionpbx · Fusionpbx

Pierre Jourdan

Published

2019-10-21

Updated

2020-08-24

CVE-2019-16964

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FusionPBX versions up to 4.5.7

Description The issue arises from a lack of input validation in the Call Center Queue Module, specifically in the app/call centers/cmd.php file. This allows authenticated attackers with certain permissions to execute commands on the host. The permissions required for exploitation are call center queue add or call center queue edit.

Recommendations For FusionPBX versions up to 4.5.7, update to a version that includes a fix for this issue to prevent command injection attacks. As a temporary workaround, consider restricting access to the Call Center Queue Module for users with the call center queue add or call center queue edit permissions until a patch is available.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2019-16964

Affected Products

Fusionpbx

PT-2019-14884 · Fusionpbx · Fusionpbx

CVE-2019-16964

Weakness Enumeration

Related Identifiers

Affected Products

References · 4