An authenticated user can rename any file of the system through a URL of FusionPBX 4.5.7 specifically crafted.
In FusionPBX up to v4.5.7, file app\edit\filerename.php uses unsanitized “folder”,”filename”, and “newfilename” variables coming from the URL allows to rename any file of the system.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=05956113-9485-497a-9ed8-100ca70dabd7
Fix: https://github.com/fusionpbx/fusionpbx/commit/1a88ca61a744914d3336cc15a40fb3edbcde9085
Issue was reported by Pierre Jourdan on 15/08/2019 and fixed by Mark J Crane.