CVE-2019-16984
Description
In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX up to v4.5.7 suffers from a reflected XSS in recording_play.php due to unsanitized base64-decoded filename parameter.
Vulnerability
In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php takes a filename parameter from the URL, base64-decodes it, and echoes it directly into HTML without sanitization. The vulnerable code line is echo "file: $filename"; where $filename is used unsanitized [1][2]. The patch introduced the escape() function to sanitize the output [1].
Exploitation
An attacker must trick an authenticated FusionPBX user into clicking a crafted URL; no other privileges or network position is required beyond user interaction [2]. The attacker constructs a URL where the filename parameter contains base64-encoded JavaScript payload, which then gets decoded and reflected in the page, executing in the user's browser.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim’s session. This can lead to session hijacking, phishing, or other client-side attacks, compromising the confidentiality and integrity of the user's interaction with FusionPBX.
Mitigation
The vulnerability was fixed in commit 11f2dd2 on 7 September 2019 by Mark J Crane, which introduced proper escaping of the filename variable [1][2]. Users should upgrade to a version containing this commit or later. No workaround is provided; as a general precaution, avoid clicking untrusted links.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
111f2dd2254dbUpdate recording_play.php
1 file changed · +5 −4
app/recordings/recording_play.php+5 −4 modified@@ -17,7 +17,7 @@ The Initial Developer of the Original Code is Mark J Crane <markjcrane@fusionpbx.com> - Portions created by the Initial Developer are Copyright (C) 2008-2016 + Portions created by the Initial Developer are Copyright (C) 2008-2019 the Initial Developer. All Rights Reserved. Contributor(s): @@ -37,7 +37,8 @@ echo "access denied"; exit; } - + +//get the variables $filename = $_GET['filename']; $type = $_GET['type']; //moh //rec @@ -51,7 +52,7 @@ <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align='center'> - <b>file: <?php echo $filename ?></b> + <b><?php echo escape($filename) ?></b> </td> </tr> <tr> @@ -69,7 +70,7 @@ } else { echo "<audio src=\"http://localhost:8000/mod/recordings/recordings.php?a=download&type=".urlencode($type)."&filename=".urlencode($filename)."\" autoplay=\"autoplay\"></audio>"; - echo "<embed src=\"recordings.php?a=download&type=".urlencode($type)."&filename=".urlencode($filename)."\" autostart=\"true\" width=\"300\" height=\"90\" name=\"sound_".$filename."\" enablejavascript=\"true\">\n"; + echo "<embed src=\"recordings.php?a=download&type=".urlencode($type)."&filename=".urlencode($filename)."\" autostart=\"true\" width=\"300\" height=\"90\" name=\"sound_".escape($filename)."\" enablejavascript=\"true\">\n"; } } if ($file_ext == "mp3") {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/11f2dd2254dbeb1c41bf19b8c38e8fa9bc948efbmitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-16/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.