Unrated severityNVD Advisory· Published Oct 22, 2019· Updated Aug 5, 2024

CVE-2019-16971

Description

In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FusionPBX up to 4.5.7 suffers from a reflected XSS in messages_thread.php via the unsanitized contact_uuid parameter.

Vulnerability

The vulnerability resides in app/messages/messages_thread.php where the contact_uuid URL parameter is unsanitized and reflected in three places within the HTML output. This allows an attacker to inject arbitrary JavaScript. Affected versions include FusionPBX up to 4.5.7. The issue was fixed in commit c48a160 on the 4.4 and master branches. [1][2]

Exploitation

An attacker must craft a malicious URL containing a JavaScript payload in the contact_uuid parameter and convince an authenticated FusionPBX user to click it. No special network access is required beyond delivering the link (e.g., via email or social engineering). The victim must be logged into the FusionPBX interface for the XSS to execute in their session context. [2]

Impact

Successful exploitation enables arbitrary JavaScript execution in the victim's browser, potentially leading to session hijacking, data theft, or interface defacement. Since this is a reflected XSS, the payload is not stored on the server and only affects the targeted user. [2]

Mitigation

The fix was applied on 21 August 2019 in commit c48a160 for branches 4.4 and master. Users should upgrade to a version containing this patch. No workarounds are documented in the available references. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog. [1][2]

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

FusionPBX/FusionPBXdescription
FusionPBX/FusionPBXllm-fuzzy
Range: <=4.5.7

Patches

c48a160af533

Update messages_thread.php

https://github.com/fusionpbx/fusionpbxFusionPBXAug 21, 2019via osv

commit

1 file changed · +2 −2

app/messages/messages_thread.php+2 −2 modified

@@ -41,7 +41,7 @@
 
 //get number of messages to load
 	$number = preg_replace('{[\D]}', '', $_GET['number']);
-	$contact_uuid = $_GET['contact_uuid'];
+	$contact_uuid = (is_uuid($_GET['contact_uuid'])) ? $_GET['contact_uuid'] : null;
 
 //set refresh flag
 	$refresh = $_GET['refresh'] == 'true' ? true : false;
@@ -335,4 +335,4 @@
 		}
 	}
 
-?>
\ No newline at end of file
+?>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/fusionpbx/fusionpbx/commit/c48a160af53352ad1a43518b7d0faab16b8dfbccmitrex_refsource_MISC
resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-4/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000