CVE-2021-37454

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in NCH Axon PBX version 2.22 and earlier. The vulnerability arises from insufficient input validation in the line name field, allowing attackers to inject arbitrary JavaScript code. The vendor notes that this is a legacy program no longer supported [1][2].

Exploitation

An authenticated attacker can exploit this by setting a malicious line name containing JavaScript payloads. When the line name is rendered in the web interface, the script executes in the context of other users' browsers. The attack is remote and requires authentication. The GitHub reference lists multiple stored XSS vectors including extension name, line name, outbound dialing plan, blacklist IP, SipRule, primary phone, and customer name [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the Axon PBX web application. This can lead to session hijacking, defacement, or theft of sensitive information such as admin credentials, as the admin may have access to files on the system [1].

Mitigation

As of the publication date, no patch is available because the product is end-of-life and no longer supported. Users are advised to discontinue use of Axon PBX and migrate to a supported alternative. There is no known workaround beyond restricting network access to the web interface [1].