CVE-2019-19387
Description
A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FusionPBX versions 4.4.1 and 4.5.10 are vulnerable to reflected XSS via the `c` parameter in `fifo_interactive.php`.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in app/fifo_list/fifo_interactive.php in FusionPBX versions 4.4.1 and 4.5.10 [1]. The c parameter is echoed unsanitized into JavaScript code, allowing injection of arbitrary web script or HTML.
Exploitation
An attacker can exploit this by crafting a URL with a malicious c parameter value. No authentication or user interaction is required beyond the victim visiting the crafted URL. For example, the proof of concept URL https://domain/app/fifo_list/fifo_interactive.php?c=123%27;alert(document.domain);// demonstrates arbitrary JavaScript execution [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to information disclosure, session hijacking, or other client-side attacks depending on the application context.
Mitigation
The vulnerability is fixed in commit 44edbfe7a7e256d1b80448026617365a40c92c61 [2]. Users should update FusionPBX to a version including this fix or apply the patch manually. As of the publication date, no workaround is available other than applying the patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `c` parameter in `fifo_interactive.php` is reflected into the HTTP response without sanitization or encoding, enabling stored/reflected XSS."
Attack vector
An attacker crafts a URL targeting the `fifo_interactive.php` script and appends a malicious payload to the `c` parameter. The proof-of-concept URL uses a single quote to break out of an existing attribute or string context, then injects JavaScript via `alert(document.domain)` [ref_id=1]. No authentication is required; the attacker simply lures a victim into visiting the crafted link, and the injected script executes in the victim's browser session.
Affected code
The vulnerable file is `app/fifo_list/fifo_interactive.php` in FusionPBX 4.5.10. The `c` parameter is echoed into the page without sanitization, allowing arbitrary HTML and JavaScript injection [ref_id=1].
What the fix does
The advisory references commit `44edbfe7a7e256d1b80448026617365a40c92c61` as the fix [ref_id=1]. The patch is not included in the bundle, but based on the nature of the bug, the fix likely escapes or sanitizes the `c` parameter before output, preventing injected script tags or event handlers from being interpreted as HTML.
Preconditions
- authNo authentication required; the vulnerable page is publicly accessible.
- inputAttacker must trick a user into visiting a crafted URL containing the malicious c parameter.
- configThe victim's browser must execute the unsanitized output (no CSP blocking inline scripts).
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- gist.github.com/xax007/28e7326acfae677be0b351216888e522mitrex_refsource_MISC
- github.com/fusionpbx/fusionpbx/commit/44edbfe7a7e256d1b80448026617365a40c92c61mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.