CVE-2021-37455
Description
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the outbound dialing plan (stored).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated XSS in NCH Axon PBX v2.22 and earlier via insufficient input validation allows stored attacks in multiple fields, including the outbound dialing plan.
Vulnerability
NCH Axon PBX version 2.22 and earlier contains a stored Cross-Site Scripting (XSS) vulnerability due to a lack of input validation of user-controlled fields. The issue affects the outbound dialing plan (as per the CVE description), but the available reference [2] indicates multiple other fields are also exploitable, including extension name, line name, blacklist IP, SipRule, primary phone, and customer name. The vendor has designated Axon PBX as a legacy product no longer supported [1].
Exploitation
An attacker must have authenticated access to the Axon PBX administration interface. Once authenticated, the attacker can inject arbitrary JavaScript code into input fields such as the outbound dialing plan. The payload is stored on the server and executed in the browser of any other user who visits or interacts with the affected administrative page. No additional user interaction beyond viewing the stored data is required for the stored XSS variant. For reflected XSS, the attacker would need to trick an authenticated user into clicking a crafted link containing the malicious payload in specific parameters (e.g., /planprop?id= or /ipblacklist?errorip=) [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session within the Axon PBX web interface. This can lead to session hijacking, data theft (such as credentials or call records), defacement, or other actions that the victim's browser can perform in the application. Since the admin user can have access to files on the system [1], a compromised admin session may lead to further compromise.
Mitigation
No patch is available because NCH Software has classified Axon PBX as legacy software and no longer provides security updates [1]. Users are advised to upgrade to a currently supported alternative or isolate the application from untrusted networks. If continued use is necessary, restrict administrative access to trusted users only and apply strict content security policies. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- NCH/Axon PBXdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/0xfml/poc/blob/main/NCH/Axon_2.22_XSS.mdmitrex_refsource_MISC
- www.nch.com.au/pbx/index.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.