CVE-2019-16968
Description
An issue was discovered in FusionPBX up to 4.5.7. In the file app\conference_controls\conference_control_details.php, an unsanitized id variable coming from the URL is reflected in HTML on 2 occasions, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX up to 4.5.7 has a reflected XSS in conference_control_details.php via unsanitized id parameter.
Vulnerability
In FusionPBX versions up to and including 4.5.7, the file app/conference_controls/conference_control_details.php unsafely reflects the id GET parameter into HTML output on two occasions. The parameter is used directly in anchor href attributes without sanitization, allowing an attacker to inject arbitrary JavaScript. The vulnerable code is at lines 95 and 135 of the file, where $_GET['id'] is concatenated into the URL without escaping [1][2].
Exploitation
An attacker must craft a malicious URL containing a JavaScript payload in the id parameter and trick an authenticated FusionPBX administrator into clicking it. No additional privileges or network position beyond standard web access are required. The attacker can deliver the link via email, chat, or other means. When the admin clicks the link, the payload executes in the context of the FusionPBX session [2].
Impact
Successful exploitation results in reflected cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or performing administrative actions on behalf of the victim. The impact is limited to the authenticated admin's session and the permissions associated with that account [2].
Mitigation
The vulnerability was fixed in commit 02378c54722d89f875c66ddb00ff06468dabbc6d on August 8, 2019, by applying the escape() function to the id parameter before output [1]. The fix was applied to the 4.4 and master branches. Users should upgrade to a version containing this commit or apply the patch manually. No workaround is available other than updating [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
102378c54722dUpdate conference_control_details.php
1 file changed · +2 −2
app/conference_controls/conference_control_details.php+2 −2 modified@@ -92,7 +92,7 @@ echo th_order_by('control_enabled', $text['label-control_enabled'], $order_by, $order); echo "<td class='list_control_icons'>"; if (permission_exists('conference_control_detail_add')) { - echo "<a href='conference_control_detail_edit.php?conference_control_uuid=".$_GET['id']."' alt='".$text['button-add']."'>$v_link_label_add</a>"; + echo "<a href='conference_control_detail_edit.php?conference_control_uuid=".escape($_GET['id'])."' alt='".$text['button-add']."'>$v_link_label_add</a>"; } else { echo " \n"; @@ -132,7 +132,7 @@ echo " <td width='33.3%' align='center' nowrap='nowrap'>$paging_controls</td>\n"; echo " <td class='list_control_icons'>"; if (permission_exists('conference_control_detail_add')) { - echo "<a href='conference_control_detail_edit.php?conference_control_uuid=".$_GET['id']."' alt='".$text['button-add']."'>$v_link_label_add</a>"; + echo "<a href='conference_control_detail_edit.php?conference_control_uuid=".escape($_GET['id'])."' alt='".$text['button-add']."'>$v_link_label_add</a>"; } else { echo " ";
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/02378c54722d89f875c66ddb00ff06468dabbc6dmitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-1/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.