An authenticated user can delete any folder of the system through a URL of FusionPBX 4.5.7 specifically crafted.
In FusionPBX up to v4.5.7, file app\edit\folderdelete.php uses an unsanitized “folder” variable coming from the URL allows to delete any folder of the system.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=d7a37592-f07b-4aa4-92ca-5c4f7886b7c5
Fix: https://github.com/fusionpbx/fusionpbx/commit/026c3958c3c7ca6b2ff067addc991aac8f41cf11
Issue was reported by Pierre Jourdan on 13/08/2019 and fixed on same day by Mark J Crane.
Resp3ct blog 