Critical security vulnerabilities have been uncovered in VoIPmonitor software program that, if efficiently exploited, could allow for unauthenticated attackers to escalate privileges to the administrator stage and execute arbitrary instructions.
Adhering to liable disclosure by researchers from Kerbit, an Ethiopia-centered penetration-testing and vulnerability investigation company, on December 15, 2021, the issues ended up addressed in edition 24.97 of the WEB GUI shipped on January 11, 2022.
“[F]ix critical vulnerabilities – new SQL injects for unauthenticated end users permitting gaining admin privileges,” the maintainers of VoIPmonitor pointed out in the alter log.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
VoIPmonitor is an open up-supply network packet sniffer with professional frontend for SIP RTP and RTCP VoIP protocols jogging on Linux, letting buyers to keep track of and troubleshoot top quality of SIP VoIP calls as effectively as decode, play, and archive phone calls in a CDR database.
The a few flaws recognized by Kerbit is under –
- CVE-2022-24259 (CVSS score: 9.8) – An authentication bypass bug in the “cdr.php” component of the GUI that enables an unauthenticated attacker to elevate privileges by means of a specifically crafted ask for.
- CVE-2022-24260 (CVSS score: 9.8) – An SQL injection vulnerability that takes place in the “api.php” and “utilities.php” factors of the GUI that makes it possible for attackers to escalate privileges to the administrator level and retrieve sensitive data.
- CVE-2022-24262 (CVSS rating: 7.8) – A distant command execution through the GUI’s configuration restore operation due to a lacking check out for archive file formats, letting a lousy actor to execute arbitrary instructions through a crafted file.
“The key rationale that the only bug in this article is the point that we are permitted to add any file extension and that we can attain the uploaded documents to get them to execute,” Kerbit researcher Daniel Eshetu, who found out the flaws, mentioned in a publish-up.
Found this article interesting? Stick to THN on Facebook, Twitter and LinkedIn to browse extra special articles we submit.
Some pieces of this posting are sourced from:
thehackernews.com