CVE-2019-19386
Description
A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in FusionPBX 4.4.1 through 4.5.10 allows remote attackers to inject arbitrary script via the `id` or `voicemail_id` parameter in voicemail_greeting_edit.php.
Vulnerability
The vulnerability is a cross-site scripting (XSS) flaw in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX versions 4.4.1 through 4.5.10 [1]. The application fails to sanitize or validate the id and voicemail_id parameters before rendering them in the page, allowing injection of arbitrary HTML or JavaScript [1][2]. The fix introduces UUID validation for both parameters and uses urlencode() for output in the back button [2].
Exploitation
An attacker can exploit this without authentication by crafting a URL with malicious payloads in the id or voicemail_id query parameters [1]. For example, the proof-of-concept shows: https://domain/app/voicemail_greetings/voicemail_greeting_edit.php?id=123%27%3E%3Csvg/onload=alert(document.domain)%3E%3Ca%20href=%27 [1]. The user interaction required is simply visiting the crafted link; no special privileges or network position are needed beyond access to the web interface [1].
Impact
Successful exploitation allows an attacker to execute arbitrary script in the context of the victim's browser, leading to session hijacking, credential theft, defacement, or redirection to malicious sites [1]. The attacker gains no direct server-side access, but can perform actions as the victim user, potentially compromising the entire FusionPBX configuration if an admin accesses the link [1].
Mitigation
The vulnerability is fixed in commit 9e837fadecdd5199819a949b5b1bd84b19f716f2 [1][2]. The fix adds UUID validation for the id and voicemail_id parameters and URL-encodes the output in the back button [2]. Administrators should update to a version containing this commit (e.g., after November 2019) or apply the patch manually [1]. As of the publication date, no other workaround has been documented, and the CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation and output encoding of the `id` and `voicemail_id` parameters in voicemail_greeting_edit.php allows reflected XSS."
Attack vector
An unauthenticated remote attacker can inject arbitrary HTML or JavaScript by sending a crafted request to `voicemail_greeting_edit.php` with a malicious payload in the `id` or `voicemail_id` parameter [ref_id=1]. The proof-of-concept URL `https://domain/app/voicemail_greetings/voicemail_greeting_edit.php?id=123%27%3E%3Csvg/onload=alert(document.domain)%3E%3Ca%20href=%27` demonstrates injecting a `svg/onload` event handler [ref_id=1]. No authentication or special privileges are required; the attacker only needs to lure a victim into visiting the crafted link.
Affected code
The vulnerability is in `app/voicemail_greetings/voicemail_greeting_edit.php` [ref_id=1]. The `id` and `voicemail_id` parameters are taken directly from `$_REQUEST` and echoed into the page without sanitization [ref_id=2]. The patch shows the fix at lines 45-51 and line 138 of that file [ref_id=2].
What the fix does
The patch [ref_id=2] wraps both `$_REQUEST["id"]` and `$_REQUEST["voicemail_id"]` with the `is_uuid()` validation function before assigning them to variables, ensuring only valid UUID values are accepted. It also applies `urlencode()` to `$voicemail_id` when it is echoed into the JavaScript `window.location` string on the back button, preventing script injection through that output context. Previously the parameters were assigned directly from `$_REQUEST` without any sanitization [ref_id=2].
Preconditions
- networkThe attacker must be able to send HTTP requests to the FusionPBX server
- inputThe victim must visit a crafted URL containing the malicious parameter
Reproduction
Visit the following URL, replacing `domain` with the target FusionPBX host: `https://domain/app/voicemail_greetings/voicemail_greeting_edit.php?id=123%27%3E%3Csvg/onload=alert(document.domain)%3E%3Ca%20href=%27` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- gist.github.com/xax007/28e7326acfae677be0b351216888e522mitrex_refsource_MISC
- github.com/fusionpbx/fusionpbx/commit/9e837fadecdd5199819a949b5b1bd84b19f716f2mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.