← Advisories

Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities

Medium

Advisory ID

ZSL-2017-5440

Release Date

15 November 2017

Vendor

Allworx Corporation - https://www.allworx.com

Affected Version

6x, 6x12 and 48x

CVE

N/A

Tested On

Microsoft Windows 10, Server IST OIS

Summary

The Allworx phone system enables users to manage voicemails in the Allworx Message Center and customize the personal phone system configurations using My Allworx Manager.

Description

Allworx server manager interface suffers from multiple reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept

allworx_xss.htmlTXT

Disclosure Timeline

31.10.2017Vulnerability discovered.

01.11.2017Vendor contacted.

14.11.2017No response from the vendor.

15.11.2017Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/144993

[2]https://cxsecurity.com/issue/WLB-2017110084

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/134979

Changelog

15.11.2017Initial release

24.11.2017Added reference [3]