CVE-2019-16988

Name of the Vulnerable Software and Affected Versions FusionPBX versions prior to 4.5.8

Description The issue concerns the use of an unsanitized eavesdrop dest variable in the content.php file, which is reflected in HTML and leads to a cross-site scripting (XSS) issue. This allows for potential malicious script execution.

Recommendations For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the content.php file in the basic operator panel resources to minimize the risk of exploitation. Avoid using the eavesdrop dest variable in URLs until the issue is resolved.