Unrated severityNVD Advisory· Published Oct 21, 2019· Updated Aug 5, 2024

CVE-2019-16969

Description

In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FusionPBX ≤ 4.5.7 reflects unsanitized URL parameter "c" in HTML, enabling stored XSS against admin users.

Vulnerability

In FusionPBX up to version 4.5.7, the file app/fifo_list/fifo_interactive.php uses an unsanitized "c" variable from the URL, which is reflected directly into HTML output without proper escaping or validation [1][2]. The affected code path is reachable when a user with the active_queue_view permission accesses the page; the parameter is intended to specify a FIFO queue name. The fix introduced a preg_replace filter that restricts the allowed characters to alphanumerics, underscores, @, -, ., and /. [1]

Exploitation

An attacker must be authenticated as a FusionPBX user with at least the active_queue_view permission, and then trick an authenticated admin into clicking a specially crafted URL [2]. The attacker embeds malicious JavaScript in the "c" parameter. Because no sanitization is performed on the initial value, the script executes in the context of the admin's browser when the page renders. [1][2]

Impact

Successful exploitation results in reflected cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the admin's browser, potentially leading to session hijacking, phishing, defacement, or other actions within the application's security context. The CVSS base score is 6.1 (Medium). [2]

Mitigation

The vulnerability was fixed in commit d3679bbeface57a21f6623cbc193b04a7fc0a885 [1], applied to both the 4.4 and master branches on 21 August 2019 [2]. Users should upgrade to a version containing this fix. There is no known workaround other than applying the patch or restricting access to the affected page via web server rules.

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

FusionPBX/FusionPBXdescription
FusionPBX/FusionPBXllm-fuzzy
Range: <=4.5.7

Patches

d3679bbeface

Update fifo_interactive.php

https://github.com/fusionpbx/fusionpbxFusionPBXAug 21, 2019via osv

commit

1 file changed · +16 −11

app/fifo_list/fifo_interactive.php+16 −11 modified

@@ -23,23 +23,27 @@
 	Contributor(s):
 	Mark J Crane <markjcrane@fusionpbx.com>
 */
-include "root.php";
-require_once "resources/require.php";
-require_once "resources/check_auth.php";
-if (permission_exists('active_queue_view')) {
-	//access granted
-}
-else {
-	echo "access denied";
-	exit;
-}
+
+//includes
+	include "root.php";
+	require_once "resources/require.php";
+	require_once "resources/check_auth.php";
+
+//check permissions
+	if (permission_exists('active_queue_view')) {
+		//access granted
+	}
+	else {
+		echo "access denied";
+		exit;
+	}
 
 //add multi-lingual support
 	$language = new text;
 	$text = $language->get();
 
 //get the fifo_name from http and set it to a php variable
-	$fifo_name = trim($_REQUEST["c"]);
+	$fifo_name = preg_replace('#[^a-zA-Z0-9\_\@\-./]#', '', $_REQUEST["c"]);
 
 //if not the user is not a member of the superadmin then restrict to viewing their own domain
 	if (!if_group("superadmin")) {
@@ -139,4 +143,5 @@ function send_cmd(url) {
 echo "<br><br>";
 
 require_once "resources/footer.php";
+
 ?>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/fusionpbx/fusionpbx/commit/d3679bbeface57a21f6623cbc193b04a7fc0a885mitrex_refsource_MISC
resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-2/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000