CVE-2019-16981
Description
In FusionPBX up to v4.5.7, the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX up to v4.5.7 has a reflected XSS in conference_profile_params.php via unsanitized 'id' parameter.
Vulnerability
The vulnerability exists in the file app/conference_profiles/conference_profile_params.php in FusionPBX up to version 4.5.7. The id parameter from the URL is directly echoed into HTML output on two occasions without proper sanitization, leading to a reflected cross-site scripting (XSS) flaw [1][2].
Exploitation
An attacker must trick an authenticated user into clicking a specially crafted URL that includes malicious JavaScript in the id parameter. The injected script is then executed in the user's browser within the context of the FusionPBX application [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, data theft, or other malicious actions performed under the victim's authenticated session [2].
Mitigation
The issue was fixed on the same day it was reported (2019-10-08) via commit 021ff8f8e51cd1254d19e88e7aedc4b795067f8d, which adds the escape() function to the output of $_GET['id'] [1][2]. Users should upgrade to a version that includes this patch or manually apply the fix. No workaround is documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
1021ff8f8e51cUpdate conference_profile_params.php
1 file changed · +2 −2
app/conference_profiles/conference_profile_params.php+2 −2 modified@@ -73,7 +73,7 @@ echo th_order_by('profile_param_description', $text['label-profile_param_description'], $order_by, $order); echo "<td class='list_control_icons'>"; if (permission_exists('conference_profile_param_add')) { - echo "<a href='conference_profile_param_edit.php?conference_profile_uuid=".$_GET['id']."' alt='".$text['button-add']."'>$v_link_label_add</a>"; + echo "<a href='conference_profile_param_edit.php?conference_profile_uuid=".escape($_GET['id'])."' alt='".$text['button-add']."'>$v_link_label_add</a>"; } else { echo " \n"; @@ -113,7 +113,7 @@ echo " <td width='33.3%' align='center' nowrap='nowrap'>$paging_controls</td>\n"; echo " <td class='list_control_icons'>"; if (permission_exists('conference_profile_param_add')) { - echo "<a href='conference_profile_param_edit.php?conference_profile_uuid=".$_GET['id']."' alt='".$text['button-add']."'>$v_link_label_add</a>"; + echo "<a href='conference_profile_param_edit.php?conference_profile_uuid=".escape($_GET['id'])."' alt='".$text['button-add']."'>$v_link_label_add</a>"; } else { echo " ";
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/021ff8f8e51cd1254d19e88e7aedc4b795067f8dmitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-13/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.