CVE-2019-16981

Name of the Vulnerable Software and Affected Versions FusionPBX versions prior to 4.5.8

Description The issue concerns the use of an unsanitized id variable from the URL in the file appconference profilesconference profile params.php. This variable is reflected in HTML on two occasions, leading to a potential XSS issue.

Recommendations For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing the id variable to prevent XSS attacks. Restrict access to the conference profile params.php file to minimize the risk of exploitation.