CVE-2025-40648 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Issabel PBX system, specifically within the issabel-pbx module version 5.0.0. The vulnerability arises due to improper neutralization of user input during web page generation, classified under CWE-79. The flaw is located in the 'numero_conferencia' parameter within the '/index.php?menu=conferencia' endpoint. An attacker can inject malicious scripts that are stored on the server and subsequently executed in the browsers of users who access the affected page. This type of vulnerability can lead to session hijacking, defacement, or redirection to malicious sites. The CVSS 4.0 score of 4.8 indicates a medium severity level, reflecting that the attack vector is network-based with low attack complexity but requires high privileges and user interaction. The vulnerability does not impact confidentiality, integrity, or availability directly but poses a risk to user session security and trustworthiness of the web interface. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in April 2025 and published in October 2025 by INCIBE, a reputable European cybersecurity entity.

For European organizations using Issabel PBX systems, this vulnerability could allow attackers with high privileges to inject malicious scripts that execute in the context of legitimate users accessing the conferencing module. This can lead to theft of session tokens, unauthorized actions performed on behalf of users, or delivery of malware. Given that Issabel is an open-source PBX solution often used by small to medium enterprises and call centers, exploitation could disrupt telephony services or compromise sensitive communications. The impact is particularly relevant for organizations relying on web-based management interfaces for telephony infrastructure, as it undermines user trust and could facilitate further attacks within the network. Although the vulnerability requires high privileges and user interaction, the risk remains significant in environments where internal threat actors or compromised accounts exist. Additionally, the lack of patches increases exposure time. The vulnerability does not directly affect system availability or data integrity but can be a stepping stone for more severe attacks.

1. Immediate mitigation should include restricting access to the '/index.php?menu=conferencia' endpoint to trusted administrators only, ideally via network segmentation or VPN access. 2. Implement strict input validation and output encoding for the 'numero_conferencia' parameter to neutralize any injected scripts. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the web interface. 4. Monitor logs for unusual input patterns or repeated access attempts to the vulnerable parameter. 5. Conduct regular security audits and penetration tests focusing on web interface components of Issabel PBX. 6. Until an official patch is released, consider disabling the conferencing module if it is not critical to operations. 7. Educate users and administrators about the risks of XSS and the importance of not clicking on suspicious links or inputs. 8. Follow Issabel project updates closely for the release of security patches and apply them promptly.