CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25355 – CoreDial sipXcom sipXopenfire 21.04 Remote Command Execution / Weak Permissions
https://notcve.org/view.php?id=CVE-2023-25355
CoreDial sipXcom up to and including 21.04 is vulnerable to Insecure Permissions. A user who has the ability to run commands as the `daemon` user on a sipXcom server can overwrite a service file, and escalate their privileges to `root`. CoreDial sipXcom sipXopenfire versions 21.04 and below suffer from XMPP message system command argument injection and insecure service file permissions that when chained together gives root. • https://seclists.org/fulldisclosure/2023/Mar/5 • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25356 – CoreDial sipXcom sipXopenfire 21.04 Remote Command Execution / Weak Permissions
https://notcve.org/view.php?id=CVE-2023-25356
CoreDial sipXcom up to and including 21.04 is vulnerable to Improper Neutralization of Argument Delimiters in a Command. XMPP users are able to inject arbitrary arguments into a system command, which can be used to read files from, and write files to, the sipXcom server. This can also be leveraged to gain remote command execution. CoreDial sipXcom sipXopenfire versions 21.04 and below suffer from XMPP message system command argument injection and insecure service file permissions that when chained together gives root. • https://seclists.org/fulldisclosure/2023/Mar/5 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •