CVE-2019-19384
Description
A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XSS vulnerability in FusionPBX 4.4.1 via the fax_uuid parameter in fax_log_view.php allows remote attackers to inject arbitrary web script or HTML.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in FusionPBX version 4.4.1 in the file app/fax/fax_log_view.php. The fax_uuid parameter is not properly sanitized before being echoed back in the response, allowing an attacker to inject arbitrary web script or HTML. The fix introduced UUID validation and URL encoding for the parameter, confirming the lack of input validation as the root cause [1]. The vulnerability is also reported to affect version 4.5.10 [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing JavaScript code in the fax_uuid parameter. No authentication is required; the attack is performed by tricking a victim into clicking the crafted link or by embedding it on a page. A proof-of-concept URL uses the payload 123%27%22%3E%3Csvg/onload=alert(document.domain)%3E%3Ca to execute arbitrary JavaScript in the context of the vulnerable application [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of an authenticated or unauthenticated user who visits the crafted URL. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack does not require any special privileges and affects the confidentiality and integrity of the user's session [1][2].
Mitigation
The vulnerability has been fixed in commit aea1abaeb12f69dc22967395c528fb2434e316c1, which introduces UUID validation via is_uuid() and URL-encodes the parameter value [1]. Affected users should update to a version that includes this commit. No official release version with the fix is explicitly noted, but upgrading to a recent build of FusionPBX beyond 4.4.1 is recommended. There are no known workarounds for users who cannot immediately update [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation and output encoding: the `fax_uuid` parameter is echoed directly into a JavaScript context without sanitization, and multiple database fields are echoed into HTML without escaping."
Attack vector
An unauthenticated remote attacker can inject arbitrary HTML or JavaScript by sending a crafted `fax_uuid` parameter to `fax_log_view.php`. The researcher's proof-of-concept uses a payload such as `123%27%22%3E%3Csvg/onload=alert(document.domain)%3E%3Ca` appended to the URL [ref_id=2]. Because the parameter value is placed directly into a `document.location` string inside an `onclick` handler, the attacker's script executes in the victim's browser session [ref_id=1].
Affected code
The vulnerability is in `app/fax/fax_log_view.php` in FusionPBX. The `fax_uuid` parameter from `$_REQUEST` was directly echoed into an inline JavaScript `document.location` assignment without sanitization [ref_id=1]. Multiple other database fields (e.g., `$fax_success`, `$fax_result_code`) were also output unescaped in HTML table cells [ref_id=1].
What the fix does
The patch introduces two changes. First, it wraps `$_REQUEST["fax_uuid"]` with an `is_uuid()` validation check so that only properly formatted UUIDs are accepted; non-conforming input is silently discarded [ref_id=1]. Second, it applies `urlencode()` to `$fax_uuid` when embedding it in the JavaScript `document.location` string, and wraps all other echoed database fields with `escape()` to HTML-encode their output [ref_id=1]. These changes prevent both reflected XSS via the `fax_uuid` parameter and stored XSS through any of the displayed fax record fields.
Preconditions
- networkThe attacker must be able to send HTTP requests to a FusionPBX instance running version 4.4.1 (or 4.5.10 per the researcher).
- authNo authentication is required; the vulnerable endpoint is accessible without a session.
Reproduction
Visit `https://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- gist.github.com/xax007/28e7326acfae677be0b351216888e522mitrex_refsource_MISC
- github.com/fusionpbx/fusionpbx/commit/aea1abaeb12f69dc22967395c528fb2434e316c1mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.