CVE-2023-23326

Vulnerability

AvantFAX 3.3.7 contains a stored Cross-Site Scripting (XSS) vulnerability in the user email address field. An authenticated low-privilege user can inject arbitrary JavaScript into their email address during profile update [1]. The email is not sanitized before storage, and when an administrator views the admin dashboard, the payload executes in the admin's browser. Version 3.3.7 is affected; earlier releases may also be vulnerable.

Exploitation

An attacker must have network access to the AvantFAX instance and valid low-privilege credentials [1]. The attacker updates their profile email to a malicious JavaScript payload (e.g., ``). When an administrator logs in and navigates to the admin dashboard, the injected script executes, exfiltrating the admin's session cookie [1].

Impact

Successful exploitation allows the attacker to steal the administrator's session cookie, leading to session hijacking and full administrative access to AvantFAX [1]. This can result in further compromise, including modification of settings, access to fax archives, and potential lateral movement.

Mitigation

The vulnerability was fixed in AvantFAX version 3.3.8, released on January 10, 2023 [1]. Users should upgrade to version 3.3.8 or later. As a workaround, administrators may restrict the ability to modify email addresses to trusted users only. No other mitigations are available [1].