Headline
CVE-2019-16985: FusionPBX Path traversal 1
In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized “rec” variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.
Skip to content
An authenticated user can delete any file of the system through a URL of FusionPBX 4.5.7 specifically crafted.
In FusionPBX up to v4.5.7, file app\xml_cdr\xml_cdr_delete.php uses an unsanitized “rec” variable coming from the URL which is base64 decoded and allows to delete any file of the system.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=bee80ee5-8c44-4c13-9ebb-3424177aa8db
Fix: https://github.com/fusionpbx/fusionpbx/commit/284b0a91968f126fd6be0a486a84e065926905ca
Issue was reported by Pierre Jourdan on 13/08/2019 and fixed on same day by Mark J Crane.
CVE published, NVD base score is 6.5 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16985
https://nvd.nist.gov/vuln/detail/CVE-2019-16985