CVE-2019-11408

MEDIUM

FusionPBX 4.4.3 - Unauthenticated Stored Cross-Site Scripting via Caller ID

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11408. PoCs published by HoseynHeydari.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-11408, demonstrating an RCE vulnerability in FusionPBX via SIP message manipulation and XSS payload injection. The exploit chains SIP registration and call initiation to trigger a reverse shell via an XMLHttpRequest payload.

Description

XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX.

Exploits (1)

nomisec WORKING POC
by HoseynHeydari · poc
https://github.com/HoseynHeydari/fusionpbx_rce_vulnerability

This repository contains a functional exploit for CVE-2019-11408, demonstrating an RCE vulnerability in FusionPBX via SIP message manipulation and XSS payload injection. The exploit chains SIP registration and call initiation to trigger a reverse shell via an XMLHttpRequest payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FusionPBX (version not specified)
No auth needed
Prerequisites: Network access to FusionPBX SIP interface · Ability to send/receive UDP traffic on ports 5060, 52058, and 53086
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

Scores

CVSS v3 6.1
EPSS 0.0687
EPSS Percentile 93.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
fusionpbx/fusionpbx 4.4.3
Published Jun 17, 2019
Tracked Since Feb 18, 2026