An authenticated user can download any file of the system through a URL of FusionPBX 4.5.7 specifically crafted.
In FusionPBX up to v4.5.7, file app/music_on_hold/music_on_hold.php uses an unsanitized “file” variable coming from the URL which takes any file path of the system base64 encoded and allows to download it.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=a578cdc5-f275-4656-837b-25fd640925ec
Fix: https://github.com/fusionpbx/fusionpbx/commit/95ed18aa9d781f232f5686a9027bb6f677c9b8da
Issue was reported by Pierre Jourdan on 15/08/2019 and fixed on 19/08/2019 by reliberate
CVE published, NVD base score is 6.5 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16990
https://nvd.nist.gov/vuln/detail/CVE-2019-16990
Resp3ct blog 