An authenticated user can perform an SQL injection through a URL of FusionPBX 4.5.7 specially crafted to tamper with the database.
In FusionPBX up to v4.5.7, file app\call_broadcast\call_broadcast_edit.php uses an unsanitized “id” variable coming from the URL in an unparameterized SQL query leading to SQL injection.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=6fdda50a-99c5-4dda-9587-e814cf1eba54
Fix: https://github.com/fusionpbx/fusionpbx/commit/6fe372b3d4bb7ff07778d152886edcecc045c7ec
Issue was reported by Pierre Jourdan on 06/08/2019 and fixed on same day by Mark J Crane.
CVE published, NVD base score is 8.8 HIGH:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16980
https://nvd.nist.gov/vuln/detail/CVE-2019-16980
Resp3ct blog 