An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.
In FusionPBX up to v4.5.7, file app\vars\vars_textarea.php uses an unsanitized “f” variable coming from the URL which is reflected in HTML leading to XSS.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=84d7fa60-99d5-41a2-a392-0b0a727e5987
Fix: https://github.com/fusionpbx/fusionpbx/commit/cd4632b46c62855f7e1c1c93d20ffd64edcb476e
Issue was reported by Pierre Jourdan on 14/08/2019 and fixed by Mark J Crane.
