An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.
In FusionPBX up to v4.5.7, file app\edit\filedelete.php uses an unsanitized “file” variable coming from the URL which is reflected in HTML leading to XSS.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=84d7fa60-99d5-41a2-a392-0b0a727e5987
Fix: https://github.com/fusionpbx/fusionpbx/commit/cd4632b46c62855f7e1c1c93d20ffd64edcb476e
Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on same day by Mark J Crane.
CVE published, NVD base score is 6.1 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16991
https://nvd.nist.gov/vuln/detail/CVE-2019-16991
