Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities

Title: Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2017-5440
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 15.11.2017
Summary
The Allworx phone system enables users to manage voicemails in the Allworx Message Center and customize the personal phone system configurations using My Allworx Manager.
Description
Allworx server manager interface suffers from multiple reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
Allworx Corporation - https://www.allworx.com
Affected Version
6x, 6x12 and 48x
Tested On
Microsoft Windows 10
Server IST OIS
Vendor Status
[31.10.2017] Vulnerability discovered.
[01.11.2017] Vendor contacted.
[14.11.2017] No response from the vendor.
[15.11.2017] Public security advisory released.
PoC
allworx_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/144993
[2] https://cxsecurity.com/issue/WLB-2017110084
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/134979
Changelog
[15.11.2017] - Initial release
[24.11.2017] - Added reference [3]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk