Description: A stored cross-site scripting (XSS) vulnerability in Issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Virtual Fax Name and Caller ID Name parameters in the New Virtual Fax feature.
Vulnerable Product Version: issabel-pbx 4.0.0-6
Date: 07/07/2023
CVE: CVE-2023-37190
CVE Author: Sahil Ojha
Vendor Homepage: https://www.issabel.org/
Software Link: https://github.com/IssabelFoundation/issabelPBX
Tested on: Windows
Steps to reproduce:
-
Go to issabel PBX application and login with admin credentials.
-
Navigate to “Fax --> Virtual Fax --> New Virtual Fax”. Inject the XSS payload in the categories Virtual Fax Name and Caller ID Name as shown in figure below.
- Click on the save button and the payload will be executed successfully. Whenever the webpage is visited by any user the script executes in the victim’s browser. This can lead to session cookies hijacking, Permanent redirection to attacker's controlled domain or applicaiton deface and many more.
