CVE-2019-16980

Name of the Vulnerable Software and Affected Versions FusionPBX versions prior to 4.5.8

Description The issue concerns an SQL injection flaw. Specifically, the call broadcast edit.php file uses an unsanitized id variable from the URL in an unparameterized SQL query. This allows for potential SQL injection attacks.

Recommendations For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the call broadcast edit.php file to minimize the risk of exploitation. Avoid using the id variable in the affected API endpoint until the issue is resolved.