CVE-2019-19388
Description
A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting (XSS) vulnerability in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter in dialplan_detail_edit.php.
Vulnerability
FusionPBX 4.4.1 contains a stored XSS vulnerability in app/dialplans/dialplan_detail_edit.php. The dialplan_uuid parameter is taken directly from user input and rendered without adequate sanitization or encoding, enabling injection of arbitrary HTML and JavaScript. The issue exists in the code path that processes GET or POST requests for the dialplan edit form [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a specially crafted dialplan_uuid parameter (e.g., ``) and tricking an authenticated user into clicking it. No additional privileges beyond a valid session are required; the injected script executes in the context of the victim’s session when the page loads [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of the victim. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the affected page. The attack scope is limited to the browser context of the vulnerable endpoint [1][2].
Mitigation
The vulnerability was fixed in commit b584973e73a4d25be623c9748dd9817f69422ecc [1]. Users should upgrade to a version of FusionPBX that includes this fix (post-4.4.1). No workaround is provided by the vendor; patching is the recommended action [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FusionPBX/FusionPBXdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `dialplan_uuid` parameter allows arbitrary HTML/JavaScript to be reflected back to the user."
Attack vector
An unauthenticated remote attacker can inject arbitrary web script or HTML by sending a crafted HTTP GET request to `app/dialplans/dialplan_detail_edit.php` with a malicious `dialplan_uuid` parameter [ref_id=2]. The proof-of-concept payload `123%27%22%3E%3Csvg/onload=alert(document.domain)%3E%3Ca` demonstrates how the unsanitized input is reflected back to the victim's browser, executing attacker-controlled JavaScript [ref_id=2]. No authentication or special privileges are required because the vulnerable code path executes before the permission check [ref_id=1].
Affected code
The vulnerability is in `app/dialplans/dialplan_detail_edit.php` [ref_id=1][ref_id=2]. The file directly assigned `$_REQUEST["dialplan_uuid"]` to the `$dialplan_uuid` variable without any sanitization or validation [ref_id=1].
What the fix does
The patch wraps the assignment of `$dialplan_uuid` (and `$app_uuid`) inside an `if (is_uuid(...))` guard, so the value is only accepted if it passes a UUID validation function [ref_id=1]. Additionally, the direct `$_REQUEST` read was moved from outside the POST block into a conditional that only runs after the POST processing, preventing the unsanitized GET parameter from being used [ref_id=1]. This closes the XSS vector by rejecting any non-UUID input, including the malicious JavaScript payloads shown in the proof-of-concept [ref_id=2].
Preconditions
- networkThe attacker must be able to send HTTP requests to a FusionPBX instance running version 4.4.1 or 4.5.10
- authNo authentication or session is required; the vulnerable code executes before the permission check
Reproduction
Visit `https://target/app/dialplans/dialplan_detail_edit.php?dialplan_uuid=123%27%22%3E%3Csvg/onload=alert(document.domain)%3E%3Ca` [ref_id=2]. The browser will execute the injected JavaScript, displaying an alert with the document domain [ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- gist.github.com/xax007/28e7326acfae677be0b351216888e522mitrex_refsource_MISC
- github.com/fusionpbx/fusionpbx/commit/b584973e73a4d25be623c9748dd9817f69422eccmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.