CVE-2019-19367

Vulnerability

A cross-site scripting (XSS) vulnerability exists in FusionPBX version 4.4.1 within the file app/fax/fax_files.php. The id parameter is taken directly from the HTTP GET request and used in constructing pagination links without proper sanitization, as shown in the commit diff [1]. This allows an attacker to inject arbitrary HTML or JavaScript.

Exploitation

An attacker can exploit this by crafting a malicious URL containing a payload in the id parameter, for example: https://target/app/fax/fax_files.php?id=123%27%3E%3Csvg/onload=alert(document.domain)%3E%3Ca+href%3d%27 [2]. No authentication is required if the endpoint is publicly accessible, but typically FusionPBX is used internally. The injected script executes when a victim views the fax files page.

Impact

Successful exploitation leads to execution of arbitrary script in the context of the victim's browser. This can result in session hijacking, defacement, or redirection to malicious sites, compromising the confidentiality and integrity of the affected FusionPBX installation.

Mitigation

The vulnerability was fixed in commit [1] on October 2, 2019, by replacing $_GET['id'] with the internal $fax_uuid variable. Users should upgrade to FusionPBX 4.4.2 or later. If upgrading is not possible, the patch can be manually applied to app/fax/fax_files.php. No known workarounds are documented.