CVE-2019-16991
Description
In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX up to v4.5.7 has a reflected XSS via the unsanitized "file" parameter in app/edit/filedelete.php.
Vulnerability
In FusionPBX up to v4.5.7, the file app/edit/filedelete.php uses an unsanitized file variable from the URL, which is reflected in the HTML output, leading to a reflected cross-site scripting (XSS) vulnerability [1], [2]. The affected parameter is directly echoed into an ` element without escaping, as shown by the commit diff that adds escape($file)` [1].
Exploitation
An attacker must convince an authenticated FusionPBX user to click a crafted URL containing malicious JavaScript in the file parameter [2]. No other special privileges or network position are required beyond the user's existing session. The injection occurs in the HTML response, allowing the attacker's script to execute in the victim's browser.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, phishing attacks, or other actions that the victim user can perform within FusionPBX [2]. The CVSSv3 base score is 6.1 MEDIUM, indicating a moderate impact on confidentiality and integrity, with low attack complexity [2].
Mitigation
A fix was committed on the same day the issue was reported (October 8, 2019) and is included in the repository [1], [2]. Users should upgrade FusionPBX to a version containing commit cd4632b46c62855f7e1c1c93d20ffd64edcb476e or later [1]. No workarounds are documented, and the vulnerability is not listed in the known exploited vulnerabilities (KEV) catalog. It is strongly recommended to apply the patch promptly.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
11 file changed · +3 −4
app/edit/filedelete.php+3 −4 modified@@ -81,7 +81,7 @@ echo " <td>".$text['label-path']."</td>"; echo " </tr>"; echo " <tr>"; - echo " <td>".$folder."</td>"; + echo " <td>".escape($folder)."</td>"; echo " </tr>"; echo " </table>"; echo " <br />"; @@ -90,11 +90,11 @@ echo " <td>".$text['label-file-name']."</td>"; echo " </tr>"; echo " <tr>"; - echo " <td><input type='text' name='file' value='".$file."'></td>"; + echo " <td><input type='text' name='file' value='".escape($file)."'></td>"; echo " </tr>"; echo " <tr>"; echo " <td colspan='1' align='right'>"; - echo " <input type='hidden' name='folder' value='$folder'>"; + echo " <input type='hidden' name='folder' value='".escape($folder)."'>"; echo " <input type='hidden' name='token' id='token' value='". $_SESSION['token']. "'>"; echo " <input type='submit' value='".$text['button-del-file']."'>"; echo " </td>"; @@ -106,5 +106,4 @@ //include the footer require_once "footer.php"; } - ?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/fusionpbx/fusionpbx/commit/cd4632b46c62855f7e1c1c93d20ffd64edcb476emitrex_refsource_MISC
- resp3ctblog.wordpress.com/2019/10/19/fusionpbx-xss-20/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.