CVE-2019-19366

Vulnerability

A cross-site scripting (XSS) vulnerability exists in FusionPBX version 4.4.1, in the file app/xml_cdr/xml_cdr_search.php. The flaw is located at line 63, where the redirect GET parameter is insufficiently sanitized before being output directly into an HTML `` action attribute. This allows an attacker to inject arbitrary JavaScript or HTML without requiring authentication or prior configuration [1], [2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that passes unsanitized input into the redirect parameter. The proof of concept demonstrated by the discoverer appends a single quote, a closing tag, and an XSS payload such as <svg/onload=alert(document.domain)>. The attacker can then trick a logged-in FusionPBX user into clicking the link. No special network position or user interaction beyond clicking the link is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, theft of credentials, defacement, or redirection to malicious sites. The compromise affects the confidentiality and integrity of the FusionPBX web application, potentially giving the attacker the same privileges as the victim user [1].

Mitigation

A fix was committed on 2019-11-27 via commit f3047c83f3022a4780dca95ed7bccbf3a6fa868e [2]. The patch restricts the redirect parameter to only accept the value 'xml_cdr_statistics', effectively preventing arbitrary input. Users should update FusionPBX to a version that includes this commit (e.g., 4.4.2 or later). There is no known workaround if upgrading is not immediately possible. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [2].