CVE-2019-11408
Description
XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated XSS via crafted caller ID in FusionPBX Operator Panel leads to RCE when chained with command injection.
Vulnerability
The Operator Panel module in FusionPBX 4.4.3 contains a reflected XSS vulnerability in app/operator_panel/index_inc.php. A remote unauthenticated attacker can inject arbitrary JavaScript by placing a phone call with a specially crafted caller ID number. The malicious caller ID is not sanitized before being reflected in the operator panel interface, allowing script execution in the context of the application. [1]
Exploitation
An attacker does not need authentication or any prior access to FusionPBX. They only need to initiate a phone call to a system using the Operator Panel, with a caller ID payload containing JavaScript. When a logged-in operator views the incoming call on the panel, the injected script executes in the operator's browser session.
Impact
Successful exploitation allows arbitrary JavaScript execution within the operator's session. This can be leveraged to perform actions on behalf of the operator, such as stealing session tokens or modifying panel data. The description further notes that this XSS can be chained with a separate, unspecified command injection vulnerability in FusionPBX, potentially leading to full remote code execution on the server. [1]
Mitigation
The fix is implemented in commit 391a23d070f3036d0c7760992f6970b0a76ee4d7 on the FusionPBX repository, which sanitizes the caller ID input. Users should upgrade to a version that includes this commit or apply the patch manually. As of the publication date (2019-06-17), no CVE for the command injection chain was listed in the available references. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153256/FusionPBX-4.4.3-Remote-Command-Execution.htmlmitrex_refsource_MISC
- blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.htmlmitrex_refsource_MISC
- github.com/fusionpbx/fusionpbx/commit/391a23d070f3036d0c7760992f6970b0a76ee4d7mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.