CVE-2019-19385

An unauthenticated remote attacker crafts a URL pointing to `app/dialplans/dialplans.php` with a malicious `app_uuid` parameter containing JavaScript payloads, such as `app_uuid=123%27%22%3E%3Csvg/onload=alert(document.domain)%3E%3Ca` [ref_id=1]. When a victim visits this link, the unsanitized input is reflected in the HTML response, causing the browser to execute the injected script. No authentication or special privileges are required.

The vulnerable file is `app/dialplans/dialplans.php` in FusionPBX 4.4.1 (and 4.5.10 per the advisory). The `app_uuid` parameter is read directly from `$_GET["app_uuid"]` without validation and then echoed into the page, enabling reflected XSS [ref_id=1].

The patch [ref_id=2] wraps all assignments of `$app_uuid` from user input (`$_REQUEST["app_uuid"]`, `$_GET["app_uuid"]`, and `$row['app_uuid']`) inside an `is_uuid()` validation check. If the value is not a valid UUID, `$app_uuid` is not set, preventing the unsanitized string from being reflected in the page. Additionally, the patch removes the conditional `is_uuid()` guard around the `$params[]` concatenation lines, ensuring that when `$app_uuid` is empty the parameter is still appended (as an empty value) rather than conditionally omitted, which avoids logic inconsistencies.

Visit the following URL in a browser that has a session (or no session) on the target FusionPBX instance: `https://target/app/dialplans/dialplans.php?app_uuid=123%27%22%3E%3Csvg/onload=alert(document.domain)%3E%3Ca` [ref_id=1]. The JavaScript `alert(document.domain)` will execute, confirming the XSS.