CVE-2019-16989

Name of the Vulnerable Software and Affected Versions FusionPBX versions prior to 4.5.8

Description The issue concerns the use of an unsanitized variable c from the URL in the file appconferences activeconference interactive.php, which is reflected in HTML. This leads to a cross-site scripting (XSS) issue, allowing potential attackers to inject malicious scripts into the website.

Recommendations For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the conference interactive.php file until a patch is applied. Avoid using the c variable in the affected URL until the issue is resolved.