CVE-2021-37458

Vulnerability

NCH Axon PBX version 2.22 and earlier is affected by a stored cross-site scripting (XSS) vulnerability. The primary phone field lacks input validation, allowing authenticated users to inject arbitrary JavaScript that is stored on the server and later executed in the browsers of other users viewing the affected configuration panel [1][2].

Exploitation

An attacker must have valid credentials to log into the Axon PBX web control panel. After authentication, the attacker navigates to the user or extension settings and enters a malicious payload into the primary phone field. The injected script is then stored and will execute in the browsers of any administrator or user who views that extension's details page. The attack requires no additional user interaction beyond normal page navigation [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the authenticated user's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Because the XSS is stored, it can affect multiple users over time, increasing the potential for data exfiltration or further compromise of the PBX administration console [1][2].

Mitigation

The vendor (NCH Software) has marked Axon PBX as a legacy program that is no longer supported; no security patch has been released. Users should upgrade to a supported alternative or restrict access to the Axon web interface to trusted users only. As of the publication date, no fix is available [1][2].