CVE-2019-16971

Name of the Vulnerable Software and Affected Versions FusionPBX versions up to 4.5.7

Description The issue concerns the use of an unsanitized contact uuid variable in the file appmessagesmessages thread.php, which is reflected in HTML on three occasions, leading to a cross-site scripting (XSS) issue. This allows for the execution of malicious scripts in the context of the affected application.

Recommendations For FusionPBX versions up to 4.5.7, update to a version that sanitizes the contact uuid variable to prevent XSS attacks. As a temporary workaround, consider restricting access to the messages thread.php file until a patch is available.