Back to search
CVE-2006-4346
Published: Aug 24, 2006
Modified: Aug 7, 2024
PUBLISHED
Description
Asterisk 1.2.10 supports the use of client-controlled variables to determine filenames in the Record function, which allows remote attackers to (1) execute code via format string specifiers or (2) overwrite files via directory traversals involving unspecified vectors, as demonstrated by the CALLERIDNAME variable.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
asterisk-record-code-execution(28544)
vdb-entry
x_refsource_XF
ADV-2006-3372
vdb-entry
x_refsource_VUPEN
GLSA-200610-15
vendor-advisory
x_refsource_GENTOO
asterisk-record-directory-traversal(28564)
vdb-entry
x_refsource_XF
http://labs.musecurity.com/advisories/MU-200608-01.txt
x_refsource_MISC
22651
third-party-advisory
x_refsource_SECUNIA
19683
vdb-entry
x_refsource_BID
1016742
vdb-entry
x_refsource_SECTRACK
20060825 Multiple Vulnerabilities in Asterisk 1.2.10 (Fixed in 1.2.11)
mailing-list
x_refsource_BUGTRAQ
http://www.sineapps.com/news.php?rssid=1448
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now