Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang).
References
Link | Resource |
---|---|
http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html | Exploit Mailing List Third Party Advisory |
http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html | Exploit Third Party Advisory VDB Entry |
https://www.sipwise.com | Product |
https://www.zeroscience.mk/en/vulnerabilities | Exploit Third Party Advisory |
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2021-04-23 21:15
Updated : 2024-02-28 18:28
NVD link : CVE-2021-31583
Mitre link : CVE-2021-31583
CVE.ORG link : CVE-2021-31583
JSON object : View
Products Affected
sipwise
- next_generation_communication_platform
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')