CVE-2019-16990
Description
In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX v4.5.7 allows an authenticated attacker to download arbitrary files via a path traversal in music_on_hold.php.
Vulnerability
In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized file parameter from the HTTP GET request. The value is base64-decoded and used directly to construct a file path without validating or sanitizing directory traversal sequences (e.g., ../). This allows path traversal to any file readable by the web server user. The affected version is FusionPBX 4.5.7 and earlier [2].
Exploitation
An attacker must have a valid authenticated session in FusionPBX. The attack requires no special privileges beyond normal user access. The attacker crafts a URL where the file parameter contains a base64-encoded path with directory traversal sequences (e.g., Li4vLi4vZXRjL3Bhc3N3ZA== for ../../etc/passwd). The server downloads the file without checking if the resolved path is within the intended music directory [1][2].
Impact
Successful exploitation allows the attacker to download any file on the server that is readable by the web server process. This can lead to disclosure of sensitive configuration files, credentials, or other system data. The confidentiality of the system is compromised; integrity and availability are typically not affected [2].
Mitigation
The vulnerability was fixed in commit 95ed18aa9d781f232f5686a9027bb6f677c9b8da on 19 August 2019, which introduced sanitization by stripping ../ sequences from the path [1]. FusionPBX users should upgrade to a version after that commit. No workarounds are documented. The CVE has not been listed on the CISA KEV [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
11 file changed · +12 −1
app/music_on_hold/music_on_hold.php+12 −1 modified@@ -86,6 +86,9 @@ $stream_file = base64_decode($_GET['file']); $stream_full_path = path_join($stream_path, $stream_file); + //sanitize path + $stream_full_path = str_replace('../', '', $stream_full_path); + //dowload the file session_cache_limiter('public'); if (file_exists($stream_full_path)) { @@ -284,13 +287,21 @@ } } + //replace the sounds_dir variable in the path + $stream_path = str_replace('$${sounds_dir}', $_SESSION['switch']['sounds']['dir'], $stream_path); + //check permissions if (($stream_domain_uuid == '' && permission_exists('music_on_hold_domain')) || ($stream_domain_uuid != '' && permission_exists('music_on_hold_delete'))) { //remove specified file if ($stream_file != '') { - @unlink(path_join($stream_path, $stream_file)); + //define path + $stream_full_path = path_join($stream_path, $stream_file); + //sanitize path + $stream_full_path = str_replace('../', '', $stream_full_path); + //delete file + @unlink($stream_full_path); } //remove all audio files else {
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
2- github.com/fusionpbx/fusionpbx/commit/95ed18aa9d781f232f5686a9027bb6f677c9b8damitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-path-traversal-3/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.