CVE-2019-16964

Vulnerability

The Call Center Queue Module in FusionPBX versions up to and including 4.5.7 contains a command injection vulnerability in app/call_centers/cmd.php. The script accepts a cmd parameter from user input without proper validation or sanitization, allowing an attacker to inject arbitrary commands. The vulnerability stems from the lack of a whitelist or input filtering for the cmd value, as seen in the fix commit [1].

Exploitation

An authenticated attacker with at least the permissions call_center_queue_add or call_center_queue_edit can exploit this by sending a crafted GET request to app/call_centers/cmd.php with a cmd parameter containing malicious commands. The commands are executed via the FreeSwitch event socket interface, running as the www-data user. No additional user interaction is required beyond authentication [2].

Impact

Successful exploitation allows the attacker to execute arbitrary system commands on the host operating system with the privileges of the www-data user. This can lead to full compromise of the FusionPBX server, including data exfiltration, installation of backdoors, or lateral movement within the network. The CVSS score for this vulnerability is 8.8 (HIGH) [2].

Mitigation

The issue was fixed in commit 2f9e591 on August 15, 2019, and included in FusionPBX versions after 4.5.7. Users should upgrade to the latest patched version. No workarounds are available; the fix implements a whitelist of allowed commands (load, unload, reload) and validates the queue parameter as a UUID [1][2].