Synopsis
The remote web server hosts an application that is prone to a cross- site scripting attack.
Description
The remote web server is the internal web server component included with Axon Virtual PBX, a Windows application used to manage phone calls.
The installed version of this web server fails to sanitize user- supplied input to the 'onok' parameter of the '/logon' script before using it to generate dynamic HTML output.
An attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.
Solution
Upgrade to Axon Virtual PBX 2.13 or later.
Plugin Details
File Name: axon_logon_xss.nasl
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
Vulnerability Information
Exploit Ease: No exploit is required
Vulnerability Publication Date: 11/11/2009