CVE-2023-37190

MEDIUM

Issabel PBX 4.0.0-6 - Stored Cross-Site Scripting via Virtual Fax Name and Caller ID Name Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-37190. PoCs published by sahiloj.

AI-analyzed exploit summary This repository contains a writeup detailing a stored XSS vulnerability in Issabel-pbx v4.0.0-6, where arbitrary web scripts can be executed via crafted payloads in the Virtual Fax Name and Caller ID Name parameters. The writeup includes steps to reproduce the vulnerability but does not include exploit code.

Description

A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Virtual Fax Name and Caller ID Name parameters under the New Virtual Fax feature.

Exploits (1)

nomisec WRITEUP 1 stars
by sahiloj · poc
https://github.com/sahiloj/CVE-2023-37190

This repository contains a writeup detailing a stored XSS vulnerability in Issabel-pbx v4.0.0-6, where arbitrary web scripts can be executed via crafted payloads in the Virtual Fax Name and Caller ID Name parameters. The writeup includes steps to reproduce the vulnerability but does not include exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Issabel-pbx 4.0.0-6
Auth required
Prerequisites: Admin credentials for Issabel-pbx · Access to the Virtual Fax feature
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 4.8
EPSS 0.0041
EPSS Percentile 32.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
issabel/pbx 4.0.0-6
Published Jul 11, 2023
Tracked Since Feb 18, 2026