Summary
NCH Software Axon virtual PBX is prone to multiple remote vulnerabilities, including:
- A cross-site scripting vulnerability.
- A cross-site request forgery vulnerability.
- An arbitrary file deletion vulnerability.
- A directory traversal vulnerability.
An attacker may leverage these issues to cause a denial-of-service condition, run arbitrary script code in the browser of an unsuspecting user in the context of the affected application, steal cookie-based authentication credentials, perform certain administrative actions, gain unauthorized access to the affected application, delete certain data, and overwrite arbitrary files. Other attacks are also possible.
Axon 2.13 is vulnerable
other versions may also be affected.
References