CVE-2019-16970
Description
In FusionPBX up to 4.5.7, the file app\sip_status\sip_status.php uses an unsanitized "savemsg" variable coming from the URL, which is reflected in HTML, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In FusionPBX up to 4.5.7, the file sip_status.php reflects unsanitized 'savemsg' parameter, leading to cross-site scripting (XSS) in the admin interface.
Vulnerability
In FusionPBX up to version 4.5.7, the file app/sip_status/sip_status.php uses an unsanitized savemsg variable that comes from the URL query string. This variable is then reflected directly into the HTML output without any encoding or validation, leading to a reflected cross-site scripting (XSS) vulnerability [1][2]. The affected component is part of the FusionPBX web-based administration panel, and the issue exists in all versions prior to the fix.
Exploitation
An attacker must trick an authenticated FusionPBX user into clicking a specially crafted URL that contains the malicious payload in the savemsg parameter. The attacker does not need any special network position; the crafted link can be delivered via email, messaging, or other social engineering methods. When the victim clicks the link and the vulnerable page loads, the payload executes in the browser, allowing the attacker to run arbitrary JavaScript in the context of the FusionPBX session [2]. No additional authentication or privileges are required beyond the victim's existing session.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the FusionPBX administrative interface. This can lead to theft of session cookies, unauthorized actions on behalf of the victim (such as modifying system configuration or extracting sensitive data), and potential complete compromise of the FusionPBX instance. The vulnerability is classified as reflected XSS with a CVSS score of 6.1 (MEDIUM) [2].
Mitigation
The vulnerability was fixed in commit a55f1cd5d8edd... on August 21, 2019 [1]. The fix was applied to the 4.4 branch and master branch. Users should upgrade to the latest version of FusionPBX that includes this patch (e.g., version 4.5.8 or later). No workaround is documented; however, ensuring that users do not click untrusted links can mitigate exploitation risk. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
11 file changed · +0 −24
app/sip_status/sip_status.php+0 −24 modified@@ -49,30 +49,6 @@ $row_style["0"] = "row_style0"; $row_style["1"] = "row_style1"; -if ($_GET['a'] == "download") { - if ($_GET['t'] == "cdrcsv") { - $tmp = $_SESSION['switch']['log']['dir'].'/cdr-csv/'; - $filename = 'Master.csv'; - } - if ($_GET['t'] == "backup") { - $tmp = $backup_dir.'/'; - $filename = 'backup.tgz'; - if (!is_dir($backup_dir.'/')) { - exec("mkdir ".$backup_dir."/"); - } - $parent_dir = realpath($_SESSION['switch']['base']['dir']."/.."); - chdir($parent_dir); - shell_exec('tar cvzf freeswitch '.$backup_dir.'/backup.tgz'); - } - session_cache_limiter('public'); - $fd = fopen($tmp.$filename, "rb"); - header("Content-Type: binary/octet-stream"); - header("Content-Length: " . filesize($tmp.$filename)); - header('Content-Disposition: attachment; filename="'.$filename.'"'); - fpassthru($fd); - exit; -} - //show the content require_once "resources/header.php"; $document['title'] = $text['title-sip-status'];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/a55f1cd5d8edd655058152e9acf212680d5b75f3mitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-3/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.