CVE-2008-1390
https://notcve.org/view.php?id=CVE-2008-1390
The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses. El servidor AsteriskGUI HTTP en Asterisk Open Source 1.4.x antes de 1.4.19-rc3 y 1.6.x antes de 1.6.0-beta6, Business Edition C.x.x antes de C.1.6, AsteriskNOW antes de 1.0.2, Appliance Developer Kit antes de la revisión 104704 y s800i 1.0.x antes de 1.1.0.2 genera valores ID de gestión no lo suficientemente aleatorios, lo que facilita a atacantes remotos secuestrar una sesión de gestión a través de una serie de adivinaciones de ID. • http://downloads.digium.com/pub/security/AST-2008-005.html http://secunia.com/advisories/29449 http://secunia.com/advisories/29470 http://securityreason.com/securityalert/3764 http://www.securityfocus.com/archive/1/489819/100/0/threaded http://www.securityfocus.com/bid/28316 http://www.securitytracker.com/id?1019679 https://exchange.xforce.ibmcloud.com/vulnerabilities/41304 https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00438.html https://www.redhat.com/archives/ • CWE-255: Credentials Management Errors •
CVE-2007-6170
https://notcve.org/view.php?id=CVE-2007-6170
SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments. Vulnerabilidad de inyección SQL en el motor de registro Call Detail Record Postgres (cdr_pgsql) de Asterisk 1.4.x anterior a 1.4.15, 1.2.x anterior a 1.2.25, B.x anterior a B.2.3.4, y C.x anterior a C.1.0-beta6 permite a usuarios remotos autenticados ejecutar comandos SQL de su elección mediante los argumentos (1) ANI y (2) DNIS. • http://downloads.digium.com/pub/security/AST-2007-026.html http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/27827 http://secunia.com/advisories/27892 http://secunia.com/advisories/29242 http://secunia.com/advisories/29782 http://security.gentoo.org/glsa/glsa-200804-13.xml http://securitytracker.com/id?1019020 http://www.debian.org/security/2007/dsa-1417 http://www.securityfocus.com/archive/1/484388/100/0/threaded http: • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2007-6171
https://notcve.org/view.php?id=CVE-2007-6171
SQL injection vulnerability in the Postgres Realtime Engine (res_config_pgsql) in Asterisk 1.4.x before 1.4.15 and C.x before C.1.0-beta6 allows remote attackers to execute arbitrary SQL commands via unknown vectors. Vulnerabilidad de inyección SQL en Postgres Realtime Engine (res_config_pgsql) de Asterisk 1.4.x anterior a 1.4.15 y C.x before C.1.0-beta6 permite a atacantes remotos ejecutar comandos SQL de su elección mediante vectores desconocidos. • http://downloads.digium.com/pub/security/AST-2007-025.html http://osvdb.org/38933 http://secunia.com/advisories/27873 http://securitytracker.com/id?1019021 http://www.securityfocus.com/archive/1/484387/100/0/threaded http://www.securityfocus.com/bid/26645 http://www.vupen.com/english/advisories/2007/4055 https://exchange.xforce.ibmcloud.com/vulnerabilities/38766 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2007-5358
https://notcve.org/view.php?id=CVE-2007-5358
Multiple buffer overflows in the voicemail functionality in Asterisk 1.4.x before 1.4.13, when using IMAP storage, might allow (1) remote attackers to execute arbitrary code via a long combination of Content-type and Content-description headers, or (2) local users to execute arbitrary code via a long combination of astspooldir, voicemail context, and voicemail mailbox fields. NOTE: vector 2 requires write access to Asterisk configuration files. Múltiples desbordamientos de búfer en la funcionalidad de voicemail del Asterisk 1.4.x anterior al 1.4.13, cuando se utiliza el almacenamiento IMAP, puede permitir (1) a atacantes ejecutar código de su elección a través de una combinación larga de cabeceras dependientes del tipo (Content-type) y de la descripción (Content-description), o (2) usuarios locales ejecutar código de su elección a través de una combinación larga de los campos astspooldir, voicemail context y voicemail mailbox. NOTA: el vector 2 requiere acceso de escritura en los ficheros de configuración del Asterisk. • http://downloads.digium.com/pub/security/AST-2007-022.html http://osvdb.org/38201 http://osvdb.org/38202 http://secunia.com/advisories/27184 http://www.securityfocus.com/archive/1/481996/100/0/threaded http://www.securityfocus.com/bid/26005 http://www.securitytracker.com/id?1018804 http://www.vupen.com/english/advisories/2007/3454 https://exchange.xforce.ibmcloud.com/vulnerabilities/37051 https://exchange.xforce.ibmcloud.com/vulnerabilities/37052 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2007-4521
https://notcve.org/view.php?id=CVE-2007-4521
Asterisk Open Source 1.4.5 through 1.4.11, when configured to use an IMAP voicemail storage backend, allows remote attackers to cause a denial of service via an e-mail with an "invalid/corrupted" MIME body, which triggers a crash when the recipient listens to voicemail. Asterisk Open Source 1.4.5 hasta la 1.4.11, cuando la configuración utiliza un almacenamiento de correo por voz (voicemail) del IMAP backend, permite a atacantes remotos provocar denegación de servicio a través de un correo electrónico con un cuerpo MIME " "inválido/corrupto", lo cual dispara una caida cuando el recipiente escucha en el correo por voz (voicemail). • http://downloads.digium.com/pub/asa/AST-2007-021.html http://secunia.com/advisories/26601 http://secunia.com/advisories/26602 http://securityreason.com/securityalert/3065 http://www.securityfocus.com/archive/1/477729/100/0/threaded http://www.securityfocus.com/bid/25438 http://www.securitytracker.com/id?1018606 http://www.vupen.com/english/advisories/2007/2978 https://exchange.xforce.ibmcloud.com/vulnerabilities/36261 •