Security News > 2022 > March > Critical Security Bugs Uncovered in VoIPmonitor Monitoring Software

Critical Security Bugs Uncovered in VoIPmonitor Monitoring Software
2022-03-01 23:24

Critical security vulnerabilities have been uncovered in VoIPmonitor software that, if successfully exploited, could allow unauthenticated attackers to escalate privileges to the administrator level and execute arbitrary commands.

"[F]ix critical vulnerabilities - new SQL injects for unauthenticated users allowing gaining admin privileges," the maintainers of VoIPmonitor noted in the change log.

VoIPmonitor is an open-source network packet sniffer with commercial frontend for SIP RTP and RTCP VoIP protocols running on Linux, allowing users to monitor and troubleshoot quality of SIP VoIP calls as well as decode, play, and archive calls in a CDR database.

CVE-2022-24260 - An SQL injection vulnerability that occurs in the "Api.php" and "Utilities.php" components of the GUI that allows attackers to escalate privileges to the administrator level and retrieve sensitive data.

CVE-2022-24262 - A remote command execution via the GUI's configuration restore functionality due to a missing check for archive file formats, allowing a bad actor to execute arbitrary commands via a crafted file.

"The main reason that the only bug here is the fact that we are allowed to upload any file extension and that we can reach the uploaded files to get them to execute," Kerbit researcher Daniel Eshetu, who discovered the flaws, said in a write-up.


News URL

https://thehackernews.com/2022/03/critical-security-bugs-uncovered-in.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-04 CVE-2022-24262 Unrestricted Upload of File with Dangerous Type vulnerability in Voipmonitor
The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.
network
low complexity
voipmonitor CWE-434
8.8
2022-02-04 CVE-2022-24260 SQL Injection vulnerability in Voipmonitor
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
network
low complexity
voipmonitor CWE-89
critical
9.8