Security News > 2022 > March > Critical Security Bugs Uncovered in VoIPmonitor Monitoring Software
Critical security vulnerabilities have been uncovered in VoIPmonitor software that, if successfully exploited, could allow unauthenticated attackers to escalate privileges to the administrator level and execute arbitrary commands.
"[F]ix critical vulnerabilities - new SQL injects for unauthenticated users allowing gaining admin privileges," the maintainers of VoIPmonitor noted in the change log.
VoIPmonitor is an open-source network packet sniffer with commercial frontend for SIP RTP and RTCP VoIP protocols running on Linux, allowing users to monitor and troubleshoot quality of SIP VoIP calls as well as decode, play, and archive calls in a CDR database.
CVE-2022-24260 - An SQL injection vulnerability that occurs in the "Api.php" and "Utilities.php" components of the GUI that allows attackers to escalate privileges to the administrator level and retrieve sensitive data.
CVE-2022-24262 - A remote command execution via the GUI's configuration restore functionality due to a missing check for archive file formats, allowing a bad actor to execute arbitrary commands via a crafted file.
"The main reason that the only bug here is the fact that we are allowed to upload any file extension and that we can reach the uploaded files to get them to execute," Kerbit researcher Daniel Eshetu, who discovered the flaws, said in a write-up.
News URL
https://thehackernews.com/2022/03/critical-security-bugs-uncovered-in.html
Related news
- Critical Security Flaw Found in Popular LayerSlider WordPress Plugin (source)
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
- 73% of SME security pros missed or ignored critical alerts (source)
- 10 Critical Endpoint Security Tips You Should Know (source)
- DHS establishes AI Safety and Security Board to protect critical infrastructure (source)
- U.S. Government Releases New AI Security Guidelines for Critical Infrastructure (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-04 | CVE-2022-24262 | Unrestricted Upload of File with Dangerous Type vulnerability in Voipmonitor The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root. | 6.5 |
| 2022-02-04 | CVE-2022-24260 | SQL Injection vulnerability in Voipmonitor A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level. | 10.0 |