An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.
In FusionPBX up to v4.5.7, file app\destinations\destination_imports.php uses an unsanitized “query_string” variable coming from the URL which is reflected on 2 occasions in HTML leading to XSS.
Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=312f1c50-cded-4869-9916-6b6522bc43f8
Fix: https://github.com/fusionpbx/fusionpbx/commit/d6ea02d896b2c57dec491ee3b36ec102639270be
Issue was reported on 10/08/2019 by Pierre Jourdan and fixed on 13/08/2019 on 4.4 and Master branches by Mark J Crane.
CVE published:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16976
https://nvd.nist.gov/vuln/detail/CVE-2019-16976
Resp3ct blog 