Vulnurabilities in FusionPBX


Original Thread:

CVE-2019-11408: Dustin Cobb – XSS in Operator Panel
CVE-2019-11409: Dustin Cobb – Command Injection in Operator Panel
CVE-2019-11410: Dustin Cobb – Command Injection in Backup Module
CVE-2019-11407: Dustin Cobb – Information disclosure through debug parameter

What I find disturbing is this....

04/04/19 – Vulnerabilities disclosed to FusionPBX
04/05/19 – Developer pushes preliminary patches to the project’s Github
04/07/19 – Attempt to contact developer to discuss coordinated disclosure
04/09/19 – Developer responds and states that they do not intend to publish advisory or otherwise disclose the existence of the vulnerabilities
04/22/19 – CVE IDs obtained and shared with developer, 2nd request for coordination of public disclosure, no response received
05/22/19 – Aon provides updated patch for CVE-2019-11409 in a pull request
06/02/19 – Pull request accepted
06/06/19 – Aon public disclosure



Staff member
I suppose even more worrying is the fact that an iptables rule has JUST been reinstated to catch this exploit attempt. We already know this is patched as confirmed in the CVE. The reintroduction of the iptables rules may well imply that there are other places where this attack could be effective.


Active Member
Staff member
They offered for me to write the CVE or that they would write it. They offered and so I took them up on that offer. You know delegating work. That allowed me spend more time on improvements to the security for the entire project.

DigitalDaz you had something do with that rule being removed or did you forget that? But this sudden release of the vulnerability ahead of schedule made it apparent that the band aid is still needed in particular for those on 4.4 branch and older versions of FusionPBX. So for that reason it was re-applied. It was never removed for people that installed while it was there.

Also I was going to push more changes to 4.4 before releasing an announcement to spread the word and make it more likely that more hackers would become aware and start exploiting people on 4.4.

If you are on LATEST master branch you are safe from these released vulnerabilities. If you haven't followed my constant advice to upgrade to latest Master branch at the moment you are not completely safe. If you are on an old version or 4.4 and do not have time to upgrade or do not want to then at least do this.

rm -R /var/www/fusionpbx/app/operator_panel

Since the code is open source everyone here also had that opportunity. No skill coding then you could have hired someone to review it or ask a friend with enough skills to do so.

While some accuse us of being neglectful and writing up complaints we are working on improving the code of the entire project on a nearly daily basis. We have had some people submit pull requests, occasional bug fixes and some have reviewed security. No single person will catch all security problems. So best security requires resources and multiple developers and security consultants. It takes either a lot of volunteers and ones that are willing to do mundane tasks. Or it takes a lot of money to pay people to do this.

This highlights the reason why I started the Continuing Education and later the FusionPBX membership and put time into it. I have pleaded for more support but I don't think many of you realize how much it is needed or the level of work involved to build and maintain this project. Things are headed in a better direction the membership concept is working we hired another support person who is also able to help with security. We will succeed unless negativity prevails.

Choose whether you will be part of helping this project get better and then find a way to help.
Last edited:
Hi Markjcane. The product you give to the community is priceless. I have have been a long time user and love this product. I have submitted patches (long ago) and have more to improve the Fanvil provisioning once i'm happy with our internal templates. People need to remember the risks and benefits of using opensource products.

I'm not sure if people remember the openSSL bug that existed for 10 years. Its a open source product and anyone could have patched it.

Keep up the good work. We will be signing up as a member for fusionpbx to get support and keep the product going.


Active Member
Staff member
Update for FusionPBX 4.4
On monday late night. I moved more code changes to 4.4. Ones that were not in the announcement.
Currently emptied operator_panel/exec.php to protect people that upgraded to latest FusionPBX 4.4.
This means you don't have to remove the operator panel only update it. But if you use it actions are currently disabled.
Viewing it is working.
Added a twitter announcement where I normally have posted public news
In the future will use the FusionPBX website more for news.


Active Member
Staff member
CVE-2019-11410: Dustin Cobb – Command Injection in Backup Module
This backup module is in app/backup it is not used by many people available only to users in the superadmin group. The patched version from master branch has just been moved to fusionpbx-apps/backup. It has been removed from 4.4 and Master branch. This is not a new idea to move it been considering it for a year or two.

The preferred method for backup is the fusionpbx-backup shell script found here


Active Member
Staff member
Spent lots of time in the last week working more on tightening up security. Over the weekend put in about 20 hours looking through code and strengthening it on both 4.4 branch and Master. Master branch is ahead in security because some of the changes in Master aren't compatible with 4.4. Main thing in this regard is the database class with parameterized queries. If you care about security then you should consider upgrading and staying up to date with latest FusionPBX.