Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities
Title: Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2017-5440
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 15.11.2017
Server IST OIS
[01.11.2017] Vendor contacted.
[14.11.2017] No response from the vendor.
[15.11.2017] Public security advisory released.
[2] https://cxsecurity.com/issue/WLB-2017110084
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/134979
[24.11.2017] - Added reference [3]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2017-5440
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 15.11.2017
Summary
The Allworx phone system enables users to manage voicemails in the Allworx Message Center and customize the personal phone system configurations using My Allworx Manager.Description
Allworx server manager interface suffers from multiple reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.Vendor
Allworx Corporation - https://www.allworx.comAffected Version
6x, 6x12 and 48xTested On
Microsoft Windows 10Server IST OIS
Vendor Status
[31.10.2017] Vulnerability discovered.[01.11.2017] Vendor contacted.
[14.11.2017] No response from the vendor.
[15.11.2017] Public security advisory released.
PoC
allworx_xss.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/144993[2] https://cxsecurity.com/issue/WLB-2017110084
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/134979
Changelog
[15.11.2017] - Initial release[24.11.2017] - Added reference [3]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
