N/A

In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

N/A

N/A

Digium Asterisk Open Source和Certified Asterisk 安全漏洞

Digium Asterisk Open Source和Certified Asterisk都是美国Digium公司的开源电话交换机（PBX）系统软件。该软件支持语音信箱、多方语音会议、交互式语音应答(IVR)等。 Asterisk Open Source和Certified Asterisk中存在安全漏洞。攻击者可借助caller-id名称和序号利用该漏洞注入任意的shell命令，并执行命令。以下产品和版本受到影响：Asterisk Open Source 11.25.2之前的11.x版本，13.17.

N/A

N/A