Axon Virtual PBX /logon Multiple Parameter XSS

medium Nessus Plugin ID 42475

Synopsis

The remote web server hosts an application that is prone to a cross- site scripting attack.

Description

The remote web server is the internal web server component included with Axon Virtual PBX, a Windows application used to manage phone calls.

The installed version of this web server fails to sanitize user- supplied input to the 'onok' parameter of the '/logon' script before using it to generate dynamic HTML output.

An attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

Solution

Upgrade to Axon Virtual PBX 2.13 or later.

Plugin Details

Severity: Medium

ID: 42475

File Name: axon_logon_xss.nasl

Version: 1.9

Type: remote

Published: 11/12/2009

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Exploit Ease: No exploit is required

Vulnerability Publication Date: 11/11/2009

Reference Information

CVE: CVE-2009-4038

BID: 41894

CWE: 79

Secunia: 37157