CVE-2019-16982
Description
In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XSS vulnerability in FusionPBX up to v4.5.7 exists via the unsanitized 'id' parameter in access_control_nodes.php, allowing reflected script injection.
Vulnerability
In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized id variable from the URL, which is reflected in the HTML output without proper escaping. The code path is reachable when an authenticated user with appropriate permissions accesses the access control nodes page. The fix was applied in commit c9f87dc [1].
Exploitation
An attacker must be an authenticated user of FusionPBX or trick an authenticated administrator into clicking a crafted URL. The attacker provides a malicious payload in the id query parameter. When the victim visits the crafted URL, the unsanitized id value is echoed directly into the HTML page, causing the attacker's JavaScript to execute in the victim's browser context [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the authenticated user's session. This can lead to theft of session cookies, defacement, or other client-side attacks, potentially compromising the administrative interface of FusionPBX [2].
Mitigation
The vulnerability was fixed in commit c9f87dc on 2019-08-07, which replaced escape() with urlencode() for the id parameter [1]. Users should upgrade to a version newer than 4.5.7 or apply the patch. No official fixed release was mentioned in the references, so applying the commit is recommended. The CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
1c9f87dc16defUpdate access_control_nodes.php
1 file changed · +8 −7
app/access_controls/access_control_nodes.php+8 −7 modified@@ -13,7 +13,7 @@ The Original Code is FusionPBX The Initial Developer of the Original Code is Mark J Crane <markjcrane@fusionpbx.com> - Portions created by the Initial Developer are Copyright (C) 2018 + Portions created by the Initial Developer are Copyright (C) 2019 the Initial Developer. All Rights Reserved. Contributor(s): Mark J Crane <markjcrane@fusionpbx.com> @@ -26,7 +26,8 @@ //check permissions if (!permission_exists('access_control_node_view')) { - echo "access denied"; exit; + echo "access denied"; + exit; } //add multi-lingual support @@ -87,7 +88,7 @@ echo th_order_by('node_description', $text['label-node_description'], $order_by, $order); echo "<td class='list_control_icons'>"; if (permission_exists('access_control_node_add')) { - echo "<a href='access_control_node_edit.php?access_control_uuid=".escape($_GET['id'])."' alt='".$text['button-add']."'>$v_link_label_add</a>"; + echo "<a href='access_control_node_edit.php?access_control_uuid=".urlencode($_GET['id'])."' alt='".$text['button-add']."'>$v_link_label_add</a>"; } else { echo " \n"; @@ -98,7 +99,7 @@ if (is_array($access_control_nodes)) { foreach($access_control_nodes as $row) { if (permission_exists('access_control_node_edit')) { - $tr_link = "href='access_control_node_edit.php?access_control_uuid=".escape($row['access_control_uuid'])."&id=".escape($row['access_control_node_uuid'])."'"; + $tr_link = "href='access_control_node_edit.php?access_control_uuid=".urlencode($row['access_control_uuid'])."&id=".urlencode($row['access_control_node_uuid'])."'"; } echo "<tr ".$tr_link.">\n"; echo " <td valign='top' class='".$row_style[$c]."'>".escape($row['node_type'])." </td>\n"; @@ -107,10 +108,10 @@ echo " <td valign='top' class='".$row_style[$c]."'>".escape($row['node_description'])." </td>\n"; echo " <td class='list_control_icons'>"; if (permission_exists('access_control_node_edit')) { - echo "<a href='access_control_node_edit.php?access_control_uuid=".escape($row['access_control_uuid'])."&id=".escape($row['access_control_node_uuid'])."' alt='".$text['button-edit']."'>$v_link_label_edit</a>"; + echo "<a href='access_control_node_edit.php?access_control_uuid=".urlencode($row['access_control_uuid'])."&id=".urlencode($row['access_control_node_uuid'])."' alt='".$text['button-edit']."'>$v_link_label_edit</a>"; } if (permission_exists('access_control_node_delete')) { - echo "<a href='access_control_node_delete.php?access_control_uuid=".escape($row['access_control_uuid'])."&id=".escape($row['access_control_node_uuid'])."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>"; + echo "<a href='access_control_node_delete.php?access_control_uuid=".urlencode($row['access_control_uuid'])."&id=".urlencode($row['access_control_node_uuid'])."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>"; } echo " </td>\n"; echo "</tr>\n"; @@ -122,7 +123,7 @@ echo "</table>\n"; if (permission_exists('access_control_node_add')) { echo "<div style='float: right;'>\n"; - echo " <a href='access_control_node_edit.php?access_control_uuid=".escape($_GET['id'])."' alt='".$text['button-add']."'>$v_link_label_add</a>"; + echo " <a href='access_control_node_edit.php?access_control_uuid=".urlencode($_GET['id'])."' alt='".$text['button-add']."'>$v_link_label_add</a>"; echo "</div>\n"; } echo "<br />\n";
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/c9f87dc16def2135930ebbfd667651cc3f6de2ffmitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-14/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.