CVE Catalog

CVE-2024-36697

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile - higher than 8% of all known CVEs

Summary

An XSS vulnerability in the Admin Login page of Allworx System Software v9.1.9.12 allows attackers to inject arbitrary web scripts or HTML via the SessionID parameter in query.asp.

Risk Assessment

Risk of admin session hijacking, credential theft, or unauthorized actions within the Allworx system.

Recommendation

Immediately update Allworx software to the latest version and implement input validation/sanitization for the SessionID parameter in query.asp.

Original NVD description (English source)

A cross-site scripting (XSS) vulnerability in the Admin Login page of Allworx System Software v9.1.9.12 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SessionID parameter at query.asp.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS