Unrated severityNVD Advisory· Published Oct 21, 2019· Updated Aug 5, 2024

CVE-2019-16979

Description

In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FusionPBX up to v4.5.7 has a reflected XSS in contact_urls.php via unsanitized 'id' parameter.

Vulnerability

Reflected cross-site scripting vulnerability in FusionPBX up to version 4.5.7, specifically in the file app/contacts/contact_urls.php. The id parameter from the URL is directly embedded into HTML output without sanitization, allowing an attacker to inject arbitrary JavaScript. Affected versions include all FusionPBX releases up to 4.5.7. [1]

Exploitation

An attacker must trick an authenticated FusionPBX user into clicking a crafted URL containing a malicious id parameter. No other authentication or privileges are required from the attacker beyond constructing the URL. The injected JavaScript executes in the context of the victim's browser session within the FusionPBX application.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser. The attacker can perform actions on behalf of the authenticated user, such as modifying contacts, stealing session cookies, or defacing the interface. This compromises the confidentiality, integrity, and availability of the user's session and data.

Mitigation

The issue was fixed in commit a76d9637e31a70060ecc38786246a8b1c9178322 [2] by validating the id parameter with is_uuid() and using urlencode() before output. The fix was applied to the 4.4 and master branches on August 13, 2019 [1]. Users are advised to update to a patched version or apply the commit manually. There is no known workaround.

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

FusionPBX/FusionPBXdescription
FusionPBX/FusionPBXllm-fuzzy
Range: <=4.5.7

Patches

a76d9637e31a

Update contact_urls.php

https://github.com/fusionpbx/fusionpbxFusionPBXAug 13, 2019via osv

commit

1 file changed · +6 −1

app/contacts/contact_urls.php+6 −1 modified

@@ -38,6 +38,11 @@
 		exit;
 	}
 
+//set the uuid
+	if (is_uuid($_GET['id'])) {
+		$contact_uuid = $_GET['id'];
+	}
+
 //show the content
 	echo "<table width='100%' border='0'>\n";
 	echo "<tr>\n";
@@ -69,7 +74,7 @@
 	echo "<th>".$text['label-url_description']."</th>\n";
 	echo "<td class='list_control_icons'>";
 	if (permission_exists('contact_url_add')) {
-		echo "<a href='contact_url_edit.php?contact_uuid=".$_GET['id']."' alt='".$text['button-add']."'>$v_link_label_add</a>";
+		echo "<a href='contact_url_edit.php?contact_uuid=".urlencode($contact_uuid)."' alt='".$text['button-add']."'>$v_link_label_add</a>";
 	}
 	echo "</td>\n";
 	echo "</tr>\n";

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/fusionpbx/fusionpbx/commit/a76d9637e31a70060ecc38786246a8b1c9178322mitrex_refsource_MISC
resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-12/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000