CVE-2021-37460

Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in NCH Axon PBX version 2.22 and earlier. The flaw resides in the /planprop?id= parameter, which lacks proper input validation, allowing an authenticated user to inject arbitrary JavaScript payloads that are reflected back in the server's response [1][2]. Other affected parameters include /extensionsinstruction?id= and /ipblacklist?errorip= [2].

Exploitation

An attacker must have valid authentication credentials (at least a standard user account) to access the management web interface. The attacker crafts a URL containing a malicious script in the id parameter of the /planprop endpoint. When the authenticated victim visits this crafted link (e.g., via email or social engineering), the injected script executes in the context of the victim's session [2].

Impact

Successful exploitation leads to arbitrary JavaScript execution within the authenticated user's session. This can result in data theft (e.g., session cookies, internal configuration), defacement, or further malicious actions such as triggering another vulnerability or propagating the attack to other users [2]. The impact is limited by the attacker's need for prior authentication.

Mitigation

As of the public disclosure date (2021-07-25), NCH Software has classified Axon PBX as a legacy product and no longer provides security updates [1]. Users are strongly advised to discontinue use of Axon PBX or isolate it from untrusted network access. No official patch or workaround is available [2].