CVE-2019-16977
Description
In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX up to 4.5.7 has a reflected XSS in extension_imports.php via the unsanitized query_string parameter.
Vulnerability
FusionPBX versions up to and including 4.5.7 contain a reflected cross-site scripting (XSS) vulnerability in the file app/extensions/extension_imports.php. The unsanitized query_string variable from the URL is directly echoed into the HTML output, allowing an attacker to inject arbitrary JavaScript. The vulnerable code appears on line 361 of the file, where $_GET["query_string"] is used without sanitization in an onclick attribute [1][2].
Exploitation
An attacker must craft a URL containing a malicious query_string parameter and persuade an authenticated user to click on it. No additional privileges are required beyond the victim being logged into FusionPBX. The injected JavaScript executes in the context of the victim's session on the FusionPBX application [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the authenticated user's browser. This can lead to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. The attack scope is limited to the FusionPBX application and the user's session [1].
Mitigation
The vulnerability was fixed in commit fc8e4e2d278ce6bffff21b04248d469a59eb8cd4 on the 4.4 and master branches on 13 August 2019. The fix removes the use of $_GET["query_string"] from the onclick handler, replacing it with a static URL. Users should update to a version containing this fix or apply the patch manually [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
1fc8e4e2d278cUpdate extension_imports.php
1 file changed · +1 −1
app/extensions/extension_imports.php+1 −1 modified@@ -358,7 +358,7 @@ function get_parent($schema,$table_name) { echo " ".$text['description-import']."\n"; echo " </td>\n"; echo " <td valign='top' width='70%' align='right'>\n"; - echo " <input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='extensions.php?".$_GET["query_string"]."'\" value='".$text['button-back']."'>\n"; + echo " <input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='extensions.php'\" value='".$text['button-back']."'>\n"; //echo " <input name='submit' type='submit' class='btn' id='import' value=\"".$text['button-import']."\">\n"; echo " </td>\n"; echo " </tr>\n";
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/fc8e4e2d278ce6bffff21b04248d469a59eb8cd4mitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-10/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.