3CX Phone System login.php Multiple Parameter XSS

This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.

Synopsis :

The remote web server contains a PHP application that is affected by
multiple cross-site scripting issues.

Description :

3CX Phone System for Windows, a software-based IP PBX, is installed on
the remote host. The installed version fails to sanitize input to the
'fName' and 'fPassword' parameters in 'login.php' before using it to
generate an HTML response dynamically. An unauthenticated remote
attacker may be able to leverage these issues to inject arbitrary HTML
or script code into a user's browser to be executed within the security
context of the affected site.

Although Nessus has not checked for them, the installed version is also
likely to be affected by several other vulnerabilities, including denial
of service, sniffing of administrator's session ID, and path

See also :


Solution :

Upgrade to 3CX Phone System for Windows 7.0.3775 (RC) or later.

Risk factor :

Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 4.3
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 40613 (3cx_phone_system_multiple_xss.nasl)

Bugtraq ID: 32709

CVE ID: CVE-2008-6894

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now