CVE-2021-37456

Vulnerability

Stored Cross-Site Scripting (XSS) exists in NCH Axon PBX version 2.22 and earlier [1]. The vulnerability resides in the blacklist IP address field, where user-supplied input is not properly sanitized before being stored and later rendered in the administrative web interface [2]. This allows an authenticated user to inject arbitrary JavaScript code that will execute in the context of other administrators' browsers when they view the blacklist page.

Exploitation

An attacker must have valid administrative credentials to access the blacklist configuration page [2]. The attacker can then insert a malicious payload (e.g., ``) into the IP address field. Once saved, the payload is stored and executed whenever another administrator loads the blacklist page, triggering the XSS without further interaction.

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's session. This can result in session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is persistent and affects all users who view the blacklist page.

Mitigation

NCH Software has marked Axon PBX as a legacy product and no longer provides security updates [1]. As of the publication date, no official patch is available. Users are advised to restrict administrative access to trusted personnel and consider migrating to a supported PBX solution. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.