CVE-2019-16972

Name of the Vulnerable Software and Affected Versions FusionPBX versions up to 4.5.7

Description The issue arises from the file appcontactscontact addresses.php using an unsanitized id variable from the URL, which is then reflected in HTML. This leads to a cross-site scripting (XSS) issue, allowing potential attackers to inject malicious scripts into the webpage.

Recommendations For FusionPBX versions up to 4.5.7, consider updating to a version that sanitizes the id variable to prevent XSS attacks. As a temporary workaround, restrict access to the contact addresses.php file to minimize the risk of exploitation. Avoid using the id variable in the affected URL until the issue is resolved.