VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 21, 2019· Updated Aug 5, 2024

CVE-2019-16987

CVE-2019-16987

Description

In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FusionPBX up to v4.5.7 has a reflected XSS in contact_import.php via the unsanitized query_string parameter.

Vulnerability

In FusionPBX up to version 4.5.7, the file app/contacts/contact_import.php contains a reflected cross-site scripting (XSS) vulnerability. The query_string parameter from the URL is directly echoed into the onclick attribute of a button without proper sanitization [1][2]. This allows an attacker to inject arbitrary JavaScript code.

Exploitation

An attacker must target an authenticated user and craft a malicious URL containing the XSS payload in the query_string parameter. When the user visits the crafted URL and clicks the "Back" button on the import page, the injected script executes in the context of the user's session [2]. No special network position is required beyond normal web access.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser, enabling actions such as session hijacking, phishing, or defacement within the FusionPBX interface. The attacker can perform any action the victim is authorized to do, potentially compromising sensitive data or system settings [2].

Mitigation

The vulnerability is fixed in commit ccdb27536d3549b5c0c317e3665fff231631ec77 [1]. Users should upgrade to a version containing this fix. As of the publication date (2019-10-21), no workaround is mentioned. The fix removes the query_string from the onclick handler, preventing reflection. No other mitigation is documented.

References
  1. Update contact_import.php · fusionpbx/fusionpbx@ccdb275
  2. FusionPBX XSS 17

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
ccdb27536d35

Update contact_import.php

https://github.com/fusionpbx/fusionpbxFusionPBXAug 13, 2019via osv
commit
1 file changed · +2 2
  • app/contacts/contact_import.php+2 2 modified
    @@ -379,7 +379,7 @@ function get_parent($schema,$table_name) {
 			echo "<tr>\n";
 			echo "<td align='left' width='30%' nowrap='nowrap'><b>".$text['header-contacts_import']."</b></td>\n";
 			echo "<td width='70%' align='right'>\n";
-			echo "	<input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='contacts.php?".$_GET["query_string"]."'\" value='".$text['button-back']."'>\n";
+			echo "	<input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='contacts.php'\" value='".$text['button-back']."'>\n";
 			echo "</td>\n";
 			echo "</tr>\n";
 			echo "<tr>\n";
@@ -433,7 +433,7 @@ function get_parent($schema,$table_name) {
 	echo "		".$text['description-contacts_import']."\n";
 	echo "	</td>\n";
 	echo "	<td valign='top' width='70%' align='right'>\n";
-	echo "		<input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='contacts.php?".$_GET["query_string"]."'\" value='".$text['button-back']."'>\n";
+	echo "		<input type='button' class='btn' name='' alt='".$text['button-back']."' onclick=\"window.location='contacts.php'\" value='".$text['button-back']."'>\n";
 	//echo "		<input name='submit' type='submit' class='btn' id='import' value=\"".$text['button-import']."\">\n";
 	echo "	</td>\n";
 	echo "	</tr>\n";

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.