Unrated severityNVD Advisory· Published Oct 22, 2019· Updated Aug 5, 2024

CVE-2019-16973

Description

In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FusionPBX up to 4.5.7 has an XSS in contact_edit.php via unsanitized query_string reflected in HTML.

Vulnerability

In FusionPBX versions up to 4.5.7, the file app/contacts/contact_edit.php uses an unsanitized query_string variable taken directly from the URL. This variable is echoed into HTML without any escaping or filtering, enabling Cross-Site Scripting (XSS). The vulnerable code path is at line 349 where $_GET["query_string"] is embedded in an onclick handler's window.location assignment. [1] describes the bug and the fix commit.

Exploitation

An attacker must craft a URL with a malicious query_string parameter and trick an authenticated FusionPBX user into clicking that link. No special network position or authentication bypass is needed; the target must simply be logged in and follow the crafted URL. The injected JavaScript executes in the victim's browser context, within the FusionPBX application session.

Impact

Successful XSS allows the attacker to execute arbitrary JavaScript in the authenticated user's browser. This can lead to session hijacking, data theft (e.g., contact details), or actions performed on behalf of the victim within the FusionPBX interface. The compromise is at the user level, not the server, but can leverage the user's privileges to access or modify application data.

Mitigation

The fix is commit cc820b2eb12a3b7070afdcb7f977f70a1d49ce49 on the FusionPBX GitHub repository, applied to the 4.4 and master branches on 13 August 2019. The patch removes the unsanitized query_string from the onclick handler, replacing it with a fixed string 'contacts.php'. Users should upgrade to a version containing this fix (post-4.5.7). No workaround is documented; the vulnerability is closed by the patch.

References

FusionPBX XSS 6

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

FusionPBX/FusionPBXdescription
FusionPBX/FusionPBXllm-fuzzy
Range: <=4.5.7

Patches

cc820b2eb12a

Update contact_edit.php

https://github.com/fusionpbx/fusionpbxFusionPBXAug 13, 2019via osv

commit

1 file changed · +1 −1

app/contacts/contact_edit.php+1 −1 modified

@@ -346,7 +346,7 @@
 	}
 	echo "</b></td>\n";
 	echo "<td valign='top' width='70%' align='right'>\n";
-	echo "	<input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='contacts.php?".$_GET["query_string"]."'\" value='".$text['button-back']."'>\n";
+	echo "	<input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='contacts.php'\" value='".$text['button-back']."'>\n";
 	if ($action == "update") {
 		if (permission_exists('contact_time_add')) {
 			//detect timer state (and start time)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/fusionpbx/fusionpbx/commit/cc820b2eb12a3b7070afdcb7f977f70a1d49ce49mitrex_refsource_MISC
resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-6/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000