An authenticated user can delete any file of the system through a URL of FusionPBX 4.5.7 specifically crafted.
In FusionPBX up to v4.5.7, file app\xml_cdr\xml_cdr_delete.php uses an unsanitized “rec” variable coming from the URL which is base64 decoded and allows to delete any file of the system.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=bee80ee5-8c44-4c13-9ebb-3424177aa8db
Fix: https://github.com/fusionpbx/fusionpbx/commit/284b0a91968f126fd6be0a486a84e065926905ca
Issue was reported by Pierre Jourdan on 13/08/2019 and fixed on same day by Mark J Crane.
CVE published, NVD base score is 6.5 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16985
https://nvd.nist.gov/vuln/detail/CVE-2019-16985
