CVE-2023-0486

Name of the Vulnerable Software and Affected Versions VitalPBX version 3.2.3-8

Description The issue allows an unauthenticated external attacker to obtain the instance's administrator account via a malicious link. This is possible because the application is vulnerable to cross-site scripting (XSS), which is a type of attack that enables an attacker to inject malicious code into a website, allowing them to bypass security measures and steal user data.

Recommendations For VitalPBX version 3.2.3-8, as a temporary workaround, consider restricting access to the administrator account until a patch is available. Avoid clicking on suspicious links from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.