CVE-2024-36697
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
An XSS vulnerability in the Admin Login page of Allworx System Software v9.1.9.12 allows attackers to inject arbitrary web scripts or HTML via the SessionID parameter in query.asp.
Risk Assessment
Risk of admin session hijacking, credential theft, or unauthorized actions within the Allworx system.
Recommendation
Immediately update Allworx software to the latest version and implement input validation/sanitization for the SessionID parameter in query.asp.
Original NVD description (English source)
A cross-site scripting (XSS) vulnerability in the Admin Login page of Allworx System Software v9.1.9.12 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SessionID parameter at query.asp.

