CVE-2008-6894

Vulnerability

Cross-site scripting (XSS) vulnerability exists in the login.php page of 3CX Phone System Free Edition versions 6.1793 and 6.0.806.0. The fName and fPassword parameters fail to sanitize user input, allowing injection of arbitrary web script or HTML [1]. This is a reflected XSS issue that does not require authentication.

Exploitation

An attacker can craft a malicious URL containing JavaScript or HTML payloads in the fName or fPassword parameters. By tricking an administrator or user into clicking the crafted link, the injected script executes in the context of the victim's browser and the 3CX management console session [1]. No special network position or credentials are required beyond the ability to deliver the link.

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the authenticated session of the victim, leading to potential session hijacking, unauthorized administrative actions, information disclosure (including sensitive data displayed in the console), and further compromise of the 3CX Phone System [1].

Mitigation

The vendor was notified in August 2008 and released a fix in November 2008 [1]. Users should upgrade to a version released after November 2008 to address this vulnerability. If upgrading is not immediately possible, restrict access to the management console to trusted networks and users, and ensure HTTPS is enforced to mitigate session sniffing risks [1].