CVE-2024-28722 is a Cross Site Scripting (XSS) vulnerability identified in Innovaphone myPBX versions 14r1, 13r3, and 12r2. The vulnerability arises from improper sanitization of input in the query parameter of the /CMD0/xml_modes.xml endpoint. An attacker can craft a malicious URL containing executable script code within this parameter, which, when accessed by a user, causes the victim's browser to execute arbitrary JavaScript. This can lead to session hijacking, theft of sensitive information, or manipulation of the user interface. The attack vector is remote and does not require authentication, but it does require user interaction, such as clicking a malicious link. The CVSS 3.1 base score is 6.3, reflecting medium severity due to the ease of exploitation and potential impact on confidentiality, integrity, and availability. No patches or public exploits have been reported yet, but the vulnerability is publicly disclosed and should be treated seriously. The CWE-79 classification confirms this as a classic reflected XSS issue. Given the nature of PBX systems, exploitation could also impact telephony operations indirectly by compromising administrative sessions or user credentials.

The primary impact of CVE-2024-28722 is the execution of arbitrary scripts in the context of authenticated users accessing the Innovaphone myPBX web interface. This can lead to theft of session cookies, enabling attackers to impersonate legitimate users, potentially gaining unauthorized access to PBX management functions. Confidentiality of sensitive telephony data and user credentials may be compromised. Integrity could be affected if attackers manipulate configuration or call routing via stolen credentials. Availability impact is possible if attackers disrupt normal PBX operations by injecting malicious scripts that interfere with user sessions or administrative controls. Organizations relying on Innovaphone myPBX for critical telephony services could face operational disruptions, data breaches, and reputational damage. The lack of authentication requirement for exploitation increases risk, especially in environments where users may be tricked into clicking malicious links. Although no known exploits are currently in the wild, the public disclosure increases the likelihood of future attacks.

To mitigate CVE-2024-28722, organizations should implement the following specific measures: 1) Apply any forthcoming patches from Innovaphone promptly once available. 2) Implement web application firewall (WAF) rules to detect and block suspicious query parameters targeting /CMD0/xml_modes.xml, focusing on script injection patterns. 3) Restrict access to the PBX web interface to trusted networks or VPNs to reduce exposure to external attackers. 4) Educate users about the risks of clicking unsolicited or suspicious links, especially those purporting to relate to telephony or PBX systems. 5) Employ Content Security Policy (CSP) headers on the PBX web interface to limit the execution of unauthorized scripts. 6) Monitor logs for unusual access patterns or attempts to exploit the vulnerable endpoint. 7) Consider isolating the PBX management interface from general user networks to minimize attack surface. These targeted actions go beyond generic advice and address the specific attack vector and environment of this vulnerability.