CVE-2018-19927

Name of the Vulnerable Software and Affected Versions Zenitel Norway IP-StationWeb versions prior to 4.2.3.9

Description The issue allows for stored XSS via the Display Name for Station Status or Account Settings, related to the goform/zForm save changes sip nick parameter. In some cases, the password of alphaadmin for the admin account may be used for authentication.

Recommendations For versions prior to 4.2.3.9, update to version 4.2.3.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the goform/zForm save changes endpoint and avoiding the use of the sip nick parameter until the issue is resolved.