CVE-2019-16978
Description
In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX up to v4.5.7 has XSS in device_settings.php via an unsanitized 'id' URL parameter reflected in HTML.
Vulnerability
In FusionPBX up to v4.5.7, the file app/devices/device_settings.php uses an unsanitized id variable from the URL, which is reflected on two occasions in HTML, leading to stored or reflected cross-site scripting (XSS). The affected versions are those before the commit at [1] which fixed the issue on 13/08/2019 for the 4.4 and master branches.
Exploitation
An attacker needs to craft a URL with a malicious id parameter (e.g., containing JavaScript) and trick an authenticated user into clicking it. No special network position or write access is required; the user must simply visit the crafted link. The reflected XSS occurs in the HTML output of the page, so the attacker's payload executes in the victim's browser context.
Impact
The attacker gains the ability to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or further actions within the FusionPBX application context. The compromise is at the user level, with scope limited to the victim's session and interactions.
Mitigation
The fix is provided in commit [1] which sanitizes the id variable. The fixed versions are those after 13/08/2019 on the 4.4 and master branches. Users should update to a patched release. No workaround is documented; the vulnerability is closed by the patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
183622c4ee1d9Update device_settings.php
1 file changed · +25 −16
app/devices/device_settings.php+25 −16 modified@@ -17,34 +17,43 @@ The Initial Developer of the Original Code is Mark J Crane <markjcrane@fusionpbx.com> - Portions created by the Initial Developer are Copyright (C) 2008-2012 + Portions created by the Initial Developer are Copyright (C) 2008-2019 the Initial Developer. All Rights Reserved. Contributor(s): Mark J Crane <markjcrane@fusionpbx.com> */ -require_once "root.php"; -require_once "resources/require.php"; -require_once "resources/check_auth.php"; -if (permission_exists('device_setting_view')) { - //access granted -} -else { - echo "access denied"; - exit; -} + +//includes + require_once "root.php"; + require_once "resources/require.php"; + require_once "resources/check_auth.php"; + +//check permissions + if (permission_exists('device_setting_view')) { + //access granted + } + else { + echo "access denied"; + exit; + } //add multi-lingual support $language = new text; $text = $language->get(); -require_once "resources/header.php"; -require_once "resources/paging.php"; +//additional includes + require_once "resources/header.php"; + require_once "resources/paging.php"; //get variables used to control the order $order_by = $_GET["order_by"]; $order = $_GET["order"]; - $device_uuid = $_GET["id"]; + +//get the uuid + if (is_uuid($_GET['id'])) { + $device_uuid = $_GET['id']; + } //show the content echo "<table width='100%' cellpadding='0' cellspacing='0' border='0'>\n"; @@ -107,7 +116,7 @@ echo th_order_by('device_setting_description', $text['label-description'], $order_by, $order); echo "<td align='right' width='42'>\n"; if (permission_exists('device_setting_add')) { - echo " <a href='device_setting_edit.php?device_uuid=".$_GET['id']."' alt='".$text['button-add']."'>$v_link_label_add</a>\n"; + echo " <a href='device_setting_edit.php?device_uuid=".urlencode($device_uuid)."' alt='".$text['button-add']."'>$v_link_label_add</a>\n"; } else { echo " \n"; @@ -161,4 +170,4 @@ //include the footer require_once "resources/footer.php"; -?> \ No newline at end of file +?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/83622c4ee1d9dd1913e9fb01ce8f060b46a5768amitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-11/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.