CVE-2019-16970: FusionPBX XSS 3

Skip to content

An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.

In FusionPBX up to v4.5.7, file app\sip_status\sip_status.php uses an unsanitized “savemsg” variable coming from the URL which is reflected in HTML leading to XSS.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=dc5f192e-c6e0-4526-bb66-687a88d435ec
Fix: https://github.com/fusionpbx/fusionpbx/commit/a55f1cd5d8edd655058152e9acf212680d5b75f3

Issue was reported on 15/08/2019 by Pierre Jourdan and fixed on 21/08/2019 on 4.4 and Master branches by Mark J Crane.

CVE published, NVD base score is 6.1 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16970
https://nvd.nist.gov/vuln/detail/CVE-2019-16970