CVE-2019-11408
MEDIUMFusionPBX 4.4.3 - Unauthenticated Stored Cross-Site Scripting via Caller ID
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2019-11408. PoCs published by HoseynHeydari.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-11408, demonstrating an RCE vulnerability in FusionPBX via SIP message manipulation and XSS payload injection. The exploit chains SIP registration and call initiation to trigger a reverse shell via an XMLHttpRequest payload.
Description
XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX.
Exploits (1)
This repository contains a functional exploit for CVE-2019-11408, demonstrating an RCE vulnerability in FusionPBX via SIP message manipulation and XSS payload injection. The exploit chains SIP registration and call initiation to trigger a reverse shell via an XMLHttpRequest payload.
References (3)
Scores
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N