CVE-2019-16974

Name of the Vulnerable Software and Affected Versions FusionPBX versions up to 4.5.7

Description The issue arises from the file appcontactscontact times.php using an unsanitized id variable from the URL, which is then reflected in HTML. This leads to a cross-site scripting (XSS) issue, allowing potential attackers to inject malicious scripts into the webpage.

Recommendations For FusionPBX versions up to 4.5.7, as a temporary workaround, consider sanitizing the id variable in the appcontactscontact times.php file to prevent XSS attacks. Restrict access to the contact times.php file until a proper fix is applied.