CVE-2020-21054

Name of the Vulnerable Software and Affected Versions: FusionPBX version 4.5.7

Description: A Cross Site Scripting (XSS) issue allows remote malicious users to inject arbitrary web script or HTML via an unsanitized f variable in the appvarsvars textarea.php file. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations: For FusionPBX version 4.5.7, as a temporary workaround, consider sanitizing the f variable in the appvarsvars textarea.php file to prevent XSS attacks. Restrict access to the vars textarea.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.