AXON PBX 2.02 Cross Site Scripting

2018.06.01

Credit: Himanshu Mehta

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2018-11552

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

Aloha,
*1. Introduction*
Vendor: NCH Software
Affected Product: AXON PBX - 2.02
Vendor Website: http://www.nch.com.au/pbx/index.html
Vulnerability Type: Reflected XSS
Remote Exploitable: Yes
CVE ID: CVE-2018-11552
*2. Overview*
There is a reflected XSS vulnerability in AXON PBX Web interface. The
vulnerability exists due to insufficient filtration of user-supplied data.
A remote attacker can execute arbitrary HTML and script code in browser in
context of the vulnerable application.
*3. Affected Parameter*
'Name' Parameter (Go to AXON->Auto-Dialer->Agents->Name)
*4. Payload*
<script>alert('XSS')</script>
*5. Credit*
Himanshu Mehta (@LionHeartRoxx)
Chao,
Himanshu Mehta

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

AXON PBX 2.02 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.