CVE-2021-37457

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in NCH Axon PBX version 2.22 and earlier. The SipRule field lacks proper input validation, allowing an authenticated user to inject arbitrary JavaScript code that is stored and later executed in the browsers of other users who view the affected page [2].

Exploitation

An attacker must have authenticated access to the Axon PBX web control panel. The attacker navigates to the SIP rule configuration, inserts a malicious payload into the SipRule field, and saves the rule. When any other user (including administrators) views the SIP rules, the injected script executes in their browser context [2].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of sensitive data (e.g., credentials, call logs), or further compromise of the PBX system through actions performed on behalf of the victim [2].

Mitigation

NCH Software has marked Axon PBX as a legacy product and no longer provides security updates [1]. No patch is available. Organizations still using this software should restrict access to the web control panel to trusted users only and consider migrating to a supported alternative [1][2].