CVE-2024-28722

Name of the Vulnerable Software and Affected Versions Innovaphone myPBX versions 12r2 through 14r1

Description The issue allows a remote attacker to execute arbitrary code via the query parameter to the "/CMD0/xml modes.xml" endpoint. This enables the attacker to perform actions such as injecting malicious scripts.

Recommendations For versions 12r2 through 14r1, as a temporary workaround, consider restricting access to the "/CMD0/xml modes.xml" endpoint until a patch is available. Avoid using the query parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.