NCH Software Axon 2.13 Multiple Remote Vulnerabilities
BID:39483
Info
NCH Software Axon 2.13 Multiple Remote Vulnerabilities
| Bugtraq ID: | 39483 |
| Class: | Unknown |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 14 2010 12:00AM |
| Updated: | Apr 14 2010 12:00AM |
| Credit: | Ivan Markovic |
| Vulnerable: |
NCH Software Axon 2.13 |
| Not Vulnerable: | |
Discussion
NCH Software Axon 2.13 Multiple Remote Vulnerabilities
NCH Software Axon virtual PBX is prone to multiple remote vulnerabilities, including:
- A cross-site scripting vulnerability.
- A cross-site request forgery vulnerability.
- An arbitrary file deletion vulnerability.
- A directory traversal vulnerability.
An attacker may leverage these issues to cause a denial-of-service condition, run arbitrary script code in the browser of an unsuspecting user in the context of the affected application, steal cookie-based authentication credentials, perform certain administrative actions, gain unauthorized access to the affected application, delete certain data, and overwrite arbitrary files. Other attacks are also possible.
Axon 2.13 is vulnerable; other versions may also be affected.
NCH Software Axon virtual PBX is prone to multiple remote vulnerabilities, including:
- A cross-site scripting vulnerability.
- A cross-site request forgery vulnerability.
- An arbitrary file deletion vulnerability.
- A directory traversal vulnerability.
An attacker may leverage these issues to cause a denial-of-service condition, run arbitrary script code in the browser of an unsuspecting user in the context of the affected application, steal cookie-based authentication credentials, perform certain administrative actions, gain unauthorized access to the affected application, delete certain data, and overwrite arbitrary files. Other attacks are also possible.
Axon 2.13 is vulnerable; other versions may also be affected.
Exploit / POC
NCH Software Axon 2.13 Multiple Remote Vulnerabilities
An attacker can exploit these issues via a browser. To exploit a cross-site scripting vulnerability and cross-site forgery vulnerability an attacker must entice an unsuspecting victim to follow a malicious URI. To exploit an arbitrary file deletion vulnerability a remote attacker can use directory-traversal strings to retrieve arbitrary files in the context of the affected application.
An attacker can exploit these issues via a browser. To exploit a cross-site scripting vulnerability and cross-site forgery vulnerability an attacker must entice an unsuspecting victim to follow a malicious URI. To exploit an arbitrary file deletion vulnerability a remote attacker can use directory-traversal strings to retrieve arbitrary files in the context of the affected application.
Solution / Fix
NCH Software Axon 2.13 Multiple Remote Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
NCH Software Axon 2.13 Multiple Remote Vulnerabilities
References:
References:
- Axon Homepage (NCH Software)
- NCH Homepage (NCH Software)