FusionPBX XSS 4

An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.

In FusionPBX up to v4.5.7, file app\messages\messages_thread.php uses an unsanitized “contact_uuid” variable coming from the URL which is reflected on 3 occasions in HTML leading to XSS.

 

Bug ID: https://www.fusionpbx.com/app/tickets/ticket_edit.php?id=bc250780-76ba-48c1-adc0-de421cbd61fd
Fix: https://github.com/fusionpbx/fusionpbx/commit/c48a160af53352ad1a43518b7d0faab16b8dfbcc

Issue was reported on 14/08/2019 by Pierre Jourdan and fixed on 21/08/2019 on 4.4 and Master branches by Mark J Crane.

 

CVE published, NVD base score is 6.1 MEDIUM:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16971
https://nvd.nist.gov/vuln/detail/CVE-2019-16971

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s