Unrated severityNVD Advisory· Published Oct 23, 2019· Updated Aug 5, 2024

CVE-2019-16975

Description

In FusionPBX up to 4.5.7, the file app\contacts\contact_notes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FusionPBX 4.5.7 has a reflected XSS in contact_notes.php via the unsanitized 'id' parameter in the URL.

Vulnerability

In FusionPBX up to version 4.5.7, the file app/contacts/contact_notes.php uses an unsanitized id variable taken directly from the URL ($_GET['id']). This value is then reflected in the HTML output without proper encoding, leading to a stored/reflected cross-site scripting (XSS) vulnerability. The affected code path is reachable when an authenticated user accesses the contact_notes.php page with a crafted id parameter. The fix was applied in commit [1][2] on the 4.4 and master branches on August 13, 2019.

Exploitation

An attacker must first identify an authenticated FusionPBX user. The attacker crafts a URL containing malicious JavaScript in the id parameter, e.g. https://target/app/contacts/contact_notes.php?id=. If the victim clicks on that link or is redirected to it, the unsanitized id value is echoed directly into the HTML page, causing the attacker's script to execute in the context of the victim's browser session.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the authenticated user's browser. This can lead to session hijacking, data theft, defacement, or other malicious actions performed under the victim's identity and permissions within the FusionPBX application.

Mitigation

The vulnerability was fixed on August 13, 2019, in commit 80f2ce087ab1343f1ff3bf8a058eed9b5027eb8c [1][2]. Users should upgrade to FusionPBX version 4.5.8 or later, or apply the patch to their 4.4 or master branch. No other workarounds are documented in the available references.

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

FusionPBX/FusionPBXdescription
FusionPBX/FusionPBXllm-fuzzy
Range: <=4.5.7

Patches

80f2ce087ab1

Update contact_notes.php

https://github.com/fusionpbx/fusionpbxFusionPBXAug 13, 2019via osv

commit

1 file changed · +6 −1

app/contacts/contact_notes.php+6 −1 modified

@@ -38,6 +38,11 @@
 		exit;
 	}
 
+//set the uuid
+	if (is_uuid($_GET['id'])) {
+		$contact_uuid = $_GET['id'];
+	}
+
 //show the content
 	echo "<table width='100%' border='0'>\n";
 	echo "<tr>\n";
@@ -70,7 +75,7 @@
 	echo "<th style='text-align: right;'>".$text['label-note_user']."</th>\n";
 	echo "<td class='list_control_icons'>";
 	if (permission_exists('contact_note_add')) {
-		echo "<a href='contact_note_edit.php?contact_uuid=".$_GET['id']."' alt='".$text['button-add']."'>$v_link_label_add</a>";
+		echo "<a href='contact_note_edit.php?contact_uuid=".urlencode($contact_uuid)."' alt='".$text['button-add']."'>$v_link_label_add</a>";
 	}
 	echo "</td>\n";
 	echo "</tr>\n";

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/fusionpbx/fusionpbx/commit/80f2ce087ab1343f1ff3bf8a058eed9b5027eb8cmitrex_refsource_MISC
resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-8/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000