Unrated severityNVD Advisory· Published Oct 21, 2019· Updated Aug 5, 2024

CVE-2019-16974

Description

In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FusionPBX 4.5.7 and prior has a stored/reflected XSS in contact_times.php via an unsanitized 'id' parameter.

Vulnerability

In FusionPBX up to version 4.5.7, the file app/contacts/contact_times.php reflects an unsanitized id parameter from the URL into HTML output. This allows an attacker to inject arbitrary JavaScript code. The vulnerability affects all versions up to and including 4.5.7. The fix was committed on 13 August 2019 for the 4.4 and master branches [1][2].

Exploitation

An attacker must trick an authenticated FusionPBX user into clicking a crafted URL that includes a malicious id parameter. No other privileges are required; the attacker can be unauthenticated but needs social engineering to induce the victim to follow the link [2]. The unsanitized value is directly echoed in the page, causing the browser to execute the injected script.

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive data visible to the affected user. The attack requires user interaction (clicking a link) and targets an authenticated user [2].

Mitigation

FusionPBX administrators should upgrade to a version containing the fix (committed 13 August 2019 for branches 4.4 and master). No workaround is documented. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication [1][2].

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

FusionPBX/FusionPBXdescription
FusionPBX/FusionPBXllm-fuzzy
Range: <=4.5.7

Patches

bcc75d63aa5b

Update contact_times.php

https://github.com/fusionpbx/fusionpbxFusionPBXAug 13, 2019via osv

commit

1 file changed · +6 −1

app/contacts/contact_times.php+6 −1 modified

@@ -38,6 +38,11 @@
 		exit;
 	}
 
+//set the uuid
+	if (is_uuid($_GET['id'])) {
+		$contact_uuid = $_GET['id'];
+	}
+
 //get the contact list
 	$sql = "select ct.*, u.username, u.domain_uuid as user_domain_uuid ";
 	$sql .= "from v_contact_times as ct, v_users as u ";
@@ -74,7 +79,7 @@
 	echo "<td class='list_control_icons' nowrap>";
 	echo 	img_spacer('25px', '1px');
 	if (permission_exists('contact_time_add')) {
-		echo "<a href='contact_time_edit.php?contact_uuid=".$_GET['id']."' alt='".$text['button-add']."'>$v_link_label_add</a>";
+		echo "<a href='contact_time_edit.php?contact_uuid=".urlencode($contact_uuid)."' alt='".$text['button-add']."'>$v_link_label_add</a>";
 	}
 	else {
 		echo img_spacer('25px', '1px');

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/fusionpbx/fusionpbx/commit/bcc75d63aa5b721f699a2b416425943ad7707825mitrex_refsource_MISC
resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-7/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000