Improper access control in FusionPBX - CVE-2019-16986
Published: October 23, 2019
Vulnerability identifier: #VU22208
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2019-16986
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FusionPBX
Affected software:
FusionPBX
FusionPBX
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the application allows an attacker to download arbitrary file from the system passed via the "f" HTTP parameter to "/resources/download.php" or "/resources/secure_download.php" scripts. A remote authenticated user can pass a full filename to the application and download arbitrary file from the server using directory traversal sequences.
How to mitigate CVE-2019-16986
Install updates from vendor's repository.
Sources
- https://github.com/fusionpbx/fusionpbx/commit/9482d9ee0e4287df21339be4276125e38e048951
- https://github.com/fusionpbx/fusionpbx/commit/9c61191049c949e01f99ea1fbab1feb44709e108
- https://resp3ctblog.wordpress.com/2019/10/19/fusionpbx-path-traversal-2/
- https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=2e4784b2-721e-4a15-8bef-962a3936aee1