CVE-2019-16976
Description
In FusionPBX up to 4.5.7, the file app\destinations\destination_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX ≤4.5.7 reflects unsanitized query_string input in destination_imports.php, enabling stored XSS.
Vulnerability
In FusionPBX up to version 4.5.7, the file app/destinations/destination_imports.php unsafely includes the $_GET["query_string"] parameter directly into HTML output on two occasions, without sanitization or encoding. This allows an attacker to inject arbitrary JavaScript through a crafted URL parameter. The vulnerable code appears in lines 470 and 940 of the file, where the query_string value is echoed inside the onclick attribute of a button element [1][2].
Exploitation
An attacker must craft a URL that includes a malicious query_string parameter containing JavaScript payloads, such as ?query_string=. The attacker then tricks an authenticated FusionPBX user into visiting that URL. The user's browser will execute the injected script because the server reflects the unsanitized parameter directly into the HTML response without escaping [2]. No special network position or authentication is required for the attacker beyond the ability to deliver the malicious link to a victim.
Impact
Successful exploitation leads to persistent cross-site scripting (XSS) within the victim's browser session. The attacker can execute arbitrary JavaScript in the context of the FusionPBX application, potentially allowing session hijacking, defacement, or access to sensitive information accessible to the authenticated user. The impact is limited to the victim's browser and does not directly compromise the server itself [1][2].
Mitigation
The vulnerability was patched in commit d6ea02d on August 13, 2019, for FusionPBX 4.4 and master branches [1][2]. Users should upgrade to a version after 4.5.7 that includes this fix. As a workaround, administrators can sanitize the query_string input via a web application firewall or modify the file to remove the unsanitized variable from HTML output before a patched version is deployed.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
1d6ea02d896b2Update destination_imports.php
1 file changed · +2 −2
app/destinations/destination_imports.php+2 −2 modified@@ -467,7 +467,7 @@ function get_parent($schema,$table_name) { echo "<tr>\n"; echo "<td align='left' width='30%' nowrap='nowrap'><b>".$text['header-destinations_import']."</b></td>\n"; echo "<td width='70%' align='right'>\n"; - echo " <input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='/app/destinations/destinations.php?".$_GET["query_string"]."'\" value='".$text['button-back']."'>\n"; + echo " <input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='/app/destinations/destinations.php'\" value='".$text['button-back']."'>\n"; echo "</td>\n"; echo "</tr>\n"; echo "<tr>\n"; @@ -937,7 +937,7 @@ function get_parent($schema,$table_name) { echo " ".$text['description-destination_import']."\n"; echo " </td>\n"; echo " <td valign='top' width='70%' align='right'>\n"; - echo " <input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='/app/destinations/destinations.php?".$_GET["query_string"]."'\" value='".$text['button-back']."'>\n"; + echo " <input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='/app/destinations/destinations.php'\" value='".$text['button-back']."'>\n"; //echo " <input name='submit' type='submit' class='btn' id='import' value=\"".$text['button-import']."\">\n"; echo " </td>\n"; echo " </tr>\n";
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/d6ea02d896b2c57dec491ee3b36ec102639270bemitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-9/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.