FusionPBX XSS 14

An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.

In FusionPBX up to v4.5.7, file app\access_controls\access_control_nodes.php uses an unsanitized “id” variable coming from the URL which is reflected in HTML leading to XSS.

 

Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=af41abf3-8f92-41b6-973a-89ef8cd14be5
Fix: https://github.com/fusionpbx/fusionpbx/commit/c9f87dc16def2135930ebbfd667651cc3f6de2ff

Issue was reported by Pierre Jourdan on 06/08/2019 and fixed on 07/08/2019 by Mark J Crane.

 

CVE published, NVD base score is 6.1 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16982
https://nvd.nist.gov/vuln/detail/CVE-2019-16982

Leave a comment