CVE-2019-16972
Description
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in FusionPBX contact_addresses.php via unsanitized id parameter, allowing arbitrary JavaScript execution in victim's browser.
Vulnerability
In FusionPBX up to version 4.5.7, the file app/contacts/contact_addresses.php uses an unsanitized id parameter from the URL, which is reflected directly into HTML output without proper escaping. This leads to a reflected cross-site scripting (XSS) vulnerability. The vulnerable code path is reachable by any authenticated user visiting a crafted URL [1][2].
Exploitation
An attacker can craft a URL containing malicious JavaScript in the id parameter (e.g., ?id=) and trick an authenticated FusionPBX user into clicking it. The script executes in the context of the victim's session, inheriting the user's privileges and access to the application [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, data theft, defacement, or performing administrative actions on behalf of the victim, depending on their permissions [1][2].
Mitigation
The vulnerability was fixed in commit 913ad23 on August 13, 2019, for the 4.4 and master branches. Users should upgrade to a patched version. No workaround is available if patching is not immediately possible [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
1913ad234cf14Update contact_addresses.php
1 file changed · +18 −11
app/contacts/contact_addresses.php+18 −11 modified@@ -38,6 +38,11 @@ exit; } +//set the uuid + if (is_uuid($_GET['id'])) { + $contact_uuid = $_GET['id']; + } + //show the content echo "<table width='100%' border='0'>\n"; echo "<tr>\n"; @@ -46,21 +51,23 @@ echo "</tr>\n"; echo "</table>\n"; - //get the contact list - $sql = "select * from v_contact_addresses "; - $sql .= "where domain_uuid = :domain_uuid "; - $sql .= "and contact_uuid = :contact_uuid "; - $sql .= "order by address_primary desc, address_label asc "; - $parameters['domain_uuid'] = $_SESSION['domain_uuid']; - $parameters['contact_uuid'] = $contact_uuid; - $database = new database; - $result = $database->select($sql, $parameters, 'all'); - unset($sql, $parameters); +//get the contact list + $sql = "select * from v_contact_addresses "; + $sql .= "where domain_uuid = :domain_uuid "; + $sql .= "and contact_uuid = :contact_uuid "; + $sql .= "order by address_primary desc, address_label asc "; + $parameters['domain_uuid'] = $_SESSION['domain_uuid']; + $parameters['contact_uuid'] = $contact_uuid; + $database = new database; + $result = $database->select($sql, $parameters, 'all'); + unset($sql, $parameters); +//set the row style $c = 0; $row_style["0"] = "row_style0"; $row_style["1"] = "row_style1"; +//show the content echo "<table class='tr_hover' style='margin-bottom: 20px;' width='100%' border='0' cellpadding='0' cellspacing='0'>\n"; echo "<tr>\n"; @@ -72,7 +79,7 @@ echo "<th>".$text['label-address_description']."</th>\n"; echo "<td class='list_control_icons'>"; if (permission_exists('contact_address_add')) { - echo "<a href='contact_address_edit.php?contact_uuid=".$_GET['id']."' alt='".$text['button-add']."'>$v_link_label_add</a>"; + echo "<a href='contact_address_edit.php?contact_uuid=".urlencode($contact_uuid)."' alt='".$text['button-add']."'>$v_link_label_add</a>"; } echo "</td>\n"; echo "</tr>\n";
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/913ad234cf145a55e5f2faaab08d776d83c1699bmitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-5/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.