CVE-2021-37459

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in NCH Axon PBX version 2.22 and earlier. The customer name field lacks proper input validation, allowing an authenticated user to inject arbitrary JavaScript payloads. The injected script is stored on the server and executed in the browser of any user who views the affected page. Multiple other fields are also listed as affected, but the primary attack vector mentioned is the customer name field (stored). [1][2]

Exploitation

An attacker must have an authenticated session within Axon PBX (e.g., as a user with permission to manage customer records). The attacker navigates to the customer management interface and submits a payload through the customer name field. No special network position is required beyond normal web access; the attacker does not need to be on the same machine as the server. The payload is stored and later rendered without sanitization when the customer list or detail page is accessed by any user, including administrators. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, theft of sensitive data displayed in the interface, or forced actions on behalf of the victim. Because the attack is stored, any user who visits the affected page is impacted, including administrators with elevated privileges. [2]

Mitigation

NCH Software has discontinued support for Axon PBX, and no patch is available. The vendor's page explicitly states “this is a legacy program we no longer support.” [1] Organizations still using Axon PBX 2.22 or earlier should consider upgrading to an alternative, supported PBX solution. As a workaround, ensure that only trusted users have authentication access, and monitor for suspicious entries in customer name fields. [1][2]