VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 19, 2024· Updated May 30, 2025

CVE-2024-23387

CVE-2024-23387

Description

FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FusionPBX prior to 5.1.0 contains a stored XSS vulnerability allowing authenticated admin to execute arbitrary scripts in another admin's browser.

Vulnerability

FusionPBX versions prior to 5.1.0 contain a stored cross-site scripting (XSS) vulnerability (CWE-79) [2]. The vulnerability resides in the administrative interface, where an authenticated attacker with admin privileges can inject arbitrary script code that is stored and later executed in the browser of another administrator logging into the system [2].

Exploitation

To exploit this vulnerability, an attacker must be a remote, authenticated user with administrative privileges in FusionPBX. The attacker injects malicious script into a field that is stored by the application (e.g., configuration settings, extension names, or other admin-managed data). When another admin user logs in and views the affected page, the injected script executes in their browser [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim administrator's session. This can lead to session hijacking, unauthorized actions performed on behalf of the victim, or disclosure of sensitive information displayed in the admin interface [2].

Mitigation

The vulnerability is fixed in FusionPBX version 5.1.0, released in July 2023 [1][2]. Users should upgrade to this version or later. No workarounds are documented in the available references; upgrading is the recommended mitigation [2].

References
  1. GitHub - fusionpbx/fusionpbx: Official FusionPBX - A full-featured domain based multi-tenant PBX and voice switch for FreeSwitch.
  2. FusionPBX vulnerable to cross-site scripting

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • FusionPBX/FusionPBXllm-create2 versions
    <5.1.0+ 1 more
    • (no CPE)range: <5.1.0
    • (no CPE)range: prior to 5.1.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.