CVE-2019-16985

Name of the Vulnerable Software and Affected Versions FusionPBX versions prior to 4.5.8

Description The issue concerns the use of an unsanitized rec variable in the xml cdr delete.php file, which allows for the deletion of any system file. This is achieved through a base64 decoded variable coming from the URL.

Recommendations For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the xml cdr delete.php file to minimize the risk of exploitation. Avoid using the rec variable in the affected API endpoint until the issue is resolved.