Description Preview
CVE-2024-28722 is a CWE-79 Cross-Site Scripting flaw in Innovaphone myPBX affecting v12r2, v13r3, and v14r1. An attacker can supply crafted input as a query parameter to the /CMD0/xml_modes.xml endpoint, which may be reflected in the web interface and could lead to arbitrary code execution within the context of the device’s UI. The issue is rated with CVSS v3.1 base score 6.3 (Medium) and is described as having network attack potential with user interaction required, low impact on confidentiality, integrity, and availability, and low attack complexity. The root cause is improper neutralization of input during web page generation (XSS). This vulnerability can enable exploitation by remote adversaries who can reach the device’s web interface and induce the target to process malicious content.
Overview
Innovaphone myPBX contains a Cross-Site Scripting vulnerability in certain releases (12r2, 13r3, 14r1) where unsanitized input passed to the /CMD0/xml_modes.xml endpoint can be exploited through a crafted query parameter. This can allow an attacker to run arbitrary script in the browser context of the device’s web UI, potentially aiding broader compromise. The CVE is assigned as CVE-2024-28722 with a CVSS v3.1 base score of 6.3 (Medium), indicating network-based exposure that requires user interaction and has low impact to confidentiality, integrity, and availability. Affected versions are explicitly listed as v12r2, v13r3, and v14r1, and the issue is associated with improper input handling (CWE-79).
Remediation
- Upgrade to the latest firmware/release from Innovaphone that contains the XSL/XSS fix referenced in the release notes (look for the firmware note “Advanced UI: Prevent XSL injection,” often tied to a version after the affected ones).
- If upgrading is not possible, apply mitigations:
- Restrict or block access to the /CMD0/xml_modes.xml endpoint from untrusted networks (e.g., require VPN or a dedicated management network).
- Implement strong input validation and proper encoding for any data incorporated into the web UI or XML transformations to prevent XSL injection.
- Deploy a Web Application Firewall (WAF) or IDS/IPS rules to detect and block XSS/XSL injection patterns targeting the endpoint.
- Review and harden XML/XSL processing paths on the device; minimize or sanitize any dynamic XML/XSL transformations.
- Enforce network segmentation for management interfaces, rotate credentials, and monitor logs for suspicious activity related to the endpoint.
- After remediation, validate by testing with representative payloads to ensure no reflected scripts are executed and monitor for any exploitation attempts.
References
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services: Low
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services: Low
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting: Low
- Arts, Entertainment & RecreationArts, Entertainment & Recreation: Low
- ConstructionConstruction: Low
- Educational ServicesEducational Services: Low
- Finance and InsuranceFinance and Insurance: Low
- Health Care & Social AssistanceHealth Care & Social Assistance: Low
- InformationInformation: Low
- Management of Companies & EnterprisesManagement of Companies & Enterprises: Low
- ManufacturingManufacturing: Low
- MiningMining: Low
- Other Services (except Public Administration)Other Services (except Public Administration): Low
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services: Low
- Public AdministrationPublic Administration: Low
- Real Estate Rental & LeasingReal Estate Rental & Leasing: Low
- Retail TradeRetail Trade: Low
- Transportation & WarehousingTransportation & Warehousing: Low
- UtilitiesUtilities: Low
- Wholesale TradeWholesale Trade: Low
