CVE-2021-37461

Vulnerability

Reflected Cross-Site Scripting (XSS) exists in NCH Axon PBX version 2.22 and earlier via the /extensionsinstruction?id= endpoint [1][2]. The id parameter is not sanitized before being reflected in the response, allowing injection of arbitrary HTML and JavaScript. The vendor has classified Axon PBX as a legacy product and no longer provides security updates [1]. The same repository also documents multiple stored XSS vectors in other parts of the application [2].

Exploitation

An attacker must be authenticated to the Axon PBX web interface. The attacker crafts a URL with a malicious JavaScript payload in the id parameter of /extensionsinstruction. When an authenticated victim clicks the link, the payload executes in the context of the victim's session. No additional user interaction is required beyond clicking the crafted link.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, data theft, or defacement of the web interface. The attacker operates with the same privileges as the victim user.

Mitigation

NCH Software has discontinued support for Axon PBX, and no patch is available [1]. Users should migrate to a supported PBX solution. As a temporary workaround, restrict network access to the web interface to trusted users and consider deploying a web application firewall (WAF) to block XSS payloads. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.