Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network reflected XSS requiring a victim click (UI:R), running in the browser with scope change (S:C) and limited confidentiality/integrity impact; no availability effect.
Primary rating from Vendor (SRA).
CVSS VectorVendor: SRA
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An unauthenticated reflected cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 (104997). The application fails to properly sanitize the portal parameter supplied to the invalid_browser and invalid_browser_login handlers. User-supplied data is reflected into JavaScript generated by the application, allowing attacker-controlled script execution within a victim's browser.
AnalysisAI
Reflected cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser by luring them to a crafted link. The flaw stems from the application reflecting an unsanitized 'portal' parameter into JavaScript emitted by the invalid_browser and invalid_browser_login handlers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to reach the Switchvox SMB Edition 8.3 web portal's invalid_browser or invalid_browser_login handlers over the network and to supply a crafted 'portal' parameter; no authentication is needed (PR:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 score is 8.6 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:P, indicating network-reachable, low-complexity, unauthenticated exploitation that requires victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to the target Switchvox portal's invalid_browser (or invalid_browser_login) handler with a malicious 'portal' parameter carrying JavaScript, then delivers it to a Switchvox user via phishing email or chat. When the victim clicks the link, the injected script runs in their browser in the context of the Switchvox portal, enabling session-token theft, credential harvesting via a fake login prompt, or actions performed as the user. … |
| Remediation | Vendor-released patch: upgrade to Switchvox SMB Edition 8.4.0.2 (released July 14, 2026), per the release notes at https://sangomakb.atlassian.net/wiki/spaces/Switchvox/pages/1802371073/Switchvox+-+Release+Notes+Version+8.4.0.2+July+14+2026. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Sangoma Switchvox SMB Edition 8.3 (build 104997) instances and immediately notify users to avoid links containing 'portal' parameters from untrusted sources; enable strict Content Security Policy headers on all endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Switchvox Smb Edition
View allUnauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrar
Arbitrary file read in Sangoma Switchvox SMB Edition 8.3 (build 104997) allows an authenticated user to disclose sensiti
Stored cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an authenticated user inject persis
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45203