CVE-2021-37462

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in NCH Axon PBX versions 2.22 and earlier. The flaw resides in the /ipblacklist endpoint where the errorip parameter is not properly sanitized before being reflected in the response. This allows an authenticated attacker to inject arbitrary JavaScript code. The vendor has marked this product as legacy and no longer supported [1][2].

Exploitation

An attacker must be authenticated to the Axon PBX web interface. By crafting a malicious URL containing a JavaScript payload in the errorip parameter (e.g., /ipblacklist?errorip=), the attacker can trick a victim into clicking the link. The injected script executes in the context of the victim's session, potentially allowing further actions [2].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the browser of an authenticated user. This can lead to session hijacking, defacement, or theft of sensitive information displayed in the web interface. Since the product is legacy and unsupported, no patches are available [1][2].

Mitigation

NCH Software has marked Axon PBX as a legacy program and no longer provides updates or security patches. Users are advised to upgrade to a supported alternative or restrict network access to the web interface to trusted users only. There is no official fix for this vulnerability [1][2].