CVE-2019-16989
Description
In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX up to v4.5.7 is vulnerable to reflected XSS in the `conference_interactive.php` file via the unsanitized `c` parameter.
Vulnerability
In FusionPBX versions up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized c parameter obtained from the URL. The value is directly reflected into HTML without proper escaping, leading to a reflected cross-site scripting (XSS) vulnerability [1][2]. The vulnerable code is located in the JavaScript section where the c parameter is echoed via <?php echo trim($_REQUEST["c"]); ?> [1]. The fix in commit 83123e31 wraps the output with escape() [1].
Exploitation
An attacker needs to trick an authenticated FusionPBX user into clicking a crafted URL that includes a malicious payload in the c parameter [2]. No special network position or authentication is required beyond the target being logged in. The URL can be delivered via phishing, social engineering, or injected into another page. Once clicked, the arbitrary JavaScript executes in the user's browser within the context of the FusionPBX session [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the authenticated user's session and the functionality accessible to that user. The CVSS v3.1 base score is 6.1 (Medium) per NVD [2].
Mitigation
The vulnerability was fixed in commit 83123e31 by applying the escape() function to the c parameter before output [1][2]. The fix was merged into the FusionPBX repository by Mark J Crane on the same day the issue was reported (Oct 8, 2019) [2]. Users should update to a version later than v4.5.7, or apply the patch manually. No workarounds are documented; upgrading is the recommended action.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
183123e314a2eUpdate conference_interactive.php
1 file changed · +17 −13
app/conferences_active/conference_interactive.php+17 −13 modified@@ -17,23 +17,27 @@ The Initial Developer of the Original Code is Mark J Crane <markjcrane@fusionpbx.com> - Portions created by the Initial Developer are Copyright (C) 2008-2012 + Portions created by the Initial Developer are Copyright (C) 2008-2019 the Initial Developer. All Rights Reserved. Contributor(s): Mark J Crane <markjcrane@fusionpbx.com> James Rose <james.o.rose@gmail.com> */ -include "root.php"; -require_once "resources/require.php"; -require_once "resources/check_auth.php"; -if (permission_exists('conference_interactive_view')) { - //access granted -} -else { - echo "access denied"; - exit; -} + +//includes + include "root.php"; + require_once "resources/require.php"; + require_once "resources/check_auth.php"; + +//check permissions + if (permission_exists('conference_interactive_view')) { + //access granted + } + else { + echo "access denied"; + exit; + } //add multi-lingual support $language = new text; @@ -83,7 +87,7 @@ function loadXmlHttp(url, id) { } var requestTime = function() { - var url = 'conference_interactive_inc.php?c=<?php echo trim($_REQUEST["c"]); ?>'; + var url = 'conference_interactive_inc.php?c=<?php echo trim(escape($_REQUEST["c"])); ?>'; new loadXmlHttp(url, 'ajax_reponse'); setInterval(function(){new loadXmlHttp(url, 'ajax_reponse');}, 1222); } @@ -129,4 +133,4 @@ function send_cmd(url) { //show the header require_once "resources/footer.php"; -?> \ No newline at end of file +?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/83123e314a2e4c2dd0815446f89bcad97278d98dmitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-19/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.