Authenticated attackers can use PHP-Editor function in FusionPBX versions =< 4.5.10 to edit one of the existing PHP pages to insert a PHP payload. By navigating to the changed file we are able to gain a shell as www-data.
Discovered by TheCyberGeek