CVE-2019-11410

Vulnerability

CVE-2019-11410 is a command injection vulnerability in the Backup Module of FusionPBX version 4.4.3. The flaw resides in app/backup/index.php, where the $file_format parameter from $_GET['file_format'] is used unsanitized in building a command string for the exec() function. The default value is 'tgz' but an attacker can supply arbitrary values, and the lack of input validation allows injection of shell metacharacters. The code path is reachable when an authenticated user with the backup_download permission accesses the download functionality [1].

Exploitation

An attacker must have administrative access to FusionPBX with the backup_download permission. The attack is performed by crafting a request to the backup endpoint with a malicious file_format parameter containing command injection payloads (e.g., via semicolons, pipes, or backticks). The injected value is concatenated directly into a shell command that is executed by exec(). No user interaction beyond the attacker's own request is required, and no race condition is necessary [1].

Impact

Successful exploitation allows the authenticated attacker to execute arbitrary operating system commands with the privileges of the web server process (typically www-data or similar). This can lead to full compromise of the FusionPBX server, including data exfiltration, malware deployment, or lateral movement within the network. The CIA impact is complete: confidentiality, integrity, and availability are all at risk [1].

Mitigation

The fix is provided in commit 0f965c89288de449236ad6de4f97960814ce8c84, which validates the $file_format input against a whitelist of allowed values (options like 'tgz', 'zip', 'tar.bz2') before using it in the command. Users should upgrade to a version of FusionPBX incorporating this commit or apply the patch manually. No workarounds are documented in the available references, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as per the search results [1].