An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.
In FusionPBX up to v4.5.7, file resources\paging.php has a paging function called by several pages of the interface which uses an unsanitized “param” variable constructed partially from the URL args and reflected in HTML leading to XSS.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=2a1baae1-b906-4577-a10b-b1734f9fe4b2
Fix: https://github.com/fusionpbx/fusionpbx/commit/23581e56e9a4d1685ddf1c7d67137417d654e134
Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on 12/08/2019 by Mark J Crane.
CVE published, NVD base score is 6.1 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16983
https://nvd.nist.gov/vuln/detail/CVE-2019-16983
