Switchvox Smb Edition
Monthly
Stored cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an authenticated user inject persistent JavaScript through the voicemail notification template feature, which then executes in the browsers of other users who view the affected template. The payload is submitted via the template_text parameter to the submit_modify_voicemail_template endpoint, which fails to sanitize HTML. No public exploit identified at time of analysis, though the flaw was disclosed with a technical writeup by researchers at SRA; it is not listed in CISA KEV.
Arbitrary file read in Sangoma Switchvox SMB Edition 8.3 (build 104997) allows an authenticated user to disclose sensitive files anywhere on the appliance filesystem. The play_file functionality trusts the user-controlled sound_path parameter and fails to validate paths, so supplying an absolute path escapes the intended sound directory. No public exploit code is identified, but a detailed technical write-up from the reporting researchers (SRA) exists, and the flaw is not listed in CISA KEV.
Unauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrary SQL against the backend PostgreSQL database via the /pa endpoint, which concatenates the attacker-supplied PhoneIP value from a <PolycomIPPhone> XML body into queries without parameterization. Because SQL access on this PostgreSQL deployment can be escalated to command execution, a single crafted, unauthenticated request yields full database compromise and remote code execution on the VoIP appliance. There is no public exploit identified at time of analysis, though vendor SRA published a technical writeup, and the CVSS 4.0 base score is 9.3 (Critical).
Reflected cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser by luring them to a crafted link. The flaw stems from the application reflecting an unsanitized 'portal' parameter into JavaScript emitted by the invalid_browser and invalid_browser_login handlers. No public exploit is identified at time of analysis, though the reporting researcher (SRA) has published a technical writeup, and no evidence of active exploitation exists.
Stored cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an authenticated user inject persistent JavaScript through the voicemail notification template feature, which then executes in the browsers of other users who view the affected template. The payload is submitted via the template_text parameter to the submit_modify_voicemail_template endpoint, which fails to sanitize HTML. No public exploit identified at time of analysis, though the flaw was disclosed with a technical writeup by researchers at SRA; it is not listed in CISA KEV.
Arbitrary file read in Sangoma Switchvox SMB Edition 8.3 (build 104997) allows an authenticated user to disclose sensitive files anywhere on the appliance filesystem. The play_file functionality trusts the user-controlled sound_path parameter and fails to validate paths, so supplying an absolute path escapes the intended sound directory. No public exploit code is identified, but a detailed technical write-up from the reporting researchers (SRA) exists, and the flaw is not listed in CISA KEV.
Unauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrary SQL against the backend PostgreSQL database via the /pa endpoint, which concatenates the attacker-supplied PhoneIP value from a <PolycomIPPhone> XML body into queries without parameterization. Because SQL access on this PostgreSQL deployment can be escalated to command execution, a single crafted, unauthenticated request yields full database compromise and remote code execution on the VoIP appliance. There is no public exploit identified at time of analysis, though vendor SRA published a technical writeup, and the CVSS 4.0 base score is 9.3 (Critical).
Reflected cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser by luring them to a crafted link. The flaw stems from the application reflecting an unsanitized 'portal' parameter into JavaScript emitted by the invalid_browser and invalid_browser_login handlers. No public exploit is identified at time of analysis, though the reporting researcher (SRA) has published a technical writeup, and no evidence of active exploitation exists.