CVE-2021-37453

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in NCH Axon PBX version 2.22 and earlier. The application fails to properly sanitize user input in the extension name field, allowing an authenticated user to inject arbitrary JavaScript code that is stored and later executed when an administrator views the extension list. The vendor has marked this product as legacy and no longer provides security updates [1][2].

Exploitation

An attacker must have valid credentials to log into the Axon PBX web control panel. Once authenticated, the attacker navigates to the extension management page and enters a malicious payload (e.g., ``) into the extension name field. The payload is stored on the server. When an administrator or any user with access to the extension list views the affected extension, the script executes in their browser context [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of sensitive data (including credentials or call logs), or further compromise of the PBX system. Because the administrator account has access to files on the system (as noted in the vendor's security notice [1]), the impact may extend to file disclosure or system-level compromise.

Mitigation

NCH Software has designated Axon PBX as a legacy product and no longer provides patches or support. No official fix is available. Users should consider migrating to a supported alternative. As a workaround, restrict access to the web control panel to trusted users only and monitor for suspicious activity. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.