Description: A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary code i.e. JavaScripts or HTML code via a crafted payload injected into the Group and Description parameters.
Vulnerable Product Version: issabel-pbx 4.0.0-6
Date: 07/07/2023
CVE: CVE-2023-37191
CVE Author: Sahil Ojha
Vendor Homepage: https://www.issabel.org/
Software Link: https://github.com/IssabelFoundation/issabelPBX
Tested on: Windows
Steps to reproduce:
-
Go to issabel PBX application and login with admin credentials.
-
Navigate to “System --> Users --> Groups”. Input the following payload ”><script>alert(1)</script> in the Group and Description input field as shown in figure below.
- Click on the save button and the payload will be executed successfully. Whenever the webpage is visited by any user the script executes in the victim’s browser. This can lead to session cookies hijacking, Permanent redirection to attacker's controlled domain or applicaiton deface and many more.