CVE-2024-36697

Vulnerability

Overview A reflected cross-site scripting (XSS) vulnerability exists in the Admin Login page of Allworx System Software version 9.1.9.12. The flaw resides in the query.asp component, where the SessionID parameter is not properly sanitized before being rendered in the response. This allows an attacker to inject arbitrary HTML or JavaScript code through a crafted request [1].

Attack

Vector An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in the SessionID parameter. If an administrative user clicks the link or is redirected to it during the login process, the injected script executes in the context of the admin's browser session. No authentication is required for the injection, but the attack relies on social engineering or other means to deliver the crafted link to an admin [1].

Impact

Successful exploitation enables the attacker to execute arbitrary web scripts or HTML in the admin's browser. This could lead to session hijacking, theft of administrative credentials, or other client-side attacks that compromise the security of the Allworx system [1].

Mitigation

As of the publication date, no patch has been announced for this vulnerability. Users are advised to restrict network access to the admin interface and monitor for vendor updates. The affected version 9.1.9.12 may be end-of-life or require contact with Allworx support [1].