CVE-2017-18024

Name of the Vulnerable Software and Affected Versions: AvantFAX version 3.3.3

Description: The issue allows for XSS via an arbitrary parameter name to the default URI. This can be demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1. There have been reports of this issue being exploited on Endless Hosting, specifically on the https://fax.pbx.itsendless.org/ endpoint.

Recommendations: For AvantFAX version 3.3.3, as a temporary workaround, consider restricting access to arbitrary parameters in the default URI until a patch is available. Avoid using parameter names that contain SCRIPT elements in the affected API endpoint until the issue is resolved.