CVSS: 7.5EPSS: 0%CPEs: 126EXPL: 1CVE-2010-0685
https://notcve.org/view.php?id=CVE-2010-0685
23 Feb 2010 — The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using the ${EXTEN} channel variable and wildcard pattern matches, allows context-dependent attackers to inject strings into the dialplan using metacharacters that are injected when the variable is expanded, as demonstrated using the Dial application to process a crafted SIP INVITE message that adds an unintended outgoing channel leg. NOTE: it could be argued that this... • http://downloads.digium.com/pub/security/AST-2010-002.html •
CVSS: 7.5EPSS: 91%CPEs: 53EXPL: 0CVE-2010-0441
https://notcve.org/view.php?id=CVE-2010-0441
04 Feb 2010 — Asterisk Open Source 1.6.0.x before 1.6.0.22, 1.6.1.x before 1.6.1.14, and 1.6.2.x before 1.6.2.2, and Business Edition C.3 before C.3.3.2, allows remote attackers to cause a denial of service (daemon crash) via an SIP T.38 negotiation with an SDP FaxMaxDatagram field that is (1) missing, (2) modified to contain a negative number, or (3) modified to contain a large number. Asterisk Open Source v1.6.0.x anterior v1.6.0.22, v1.6.1.x anterior v1.6.1.14, y v1.6.2.x anterior v1.6.2.2, y Business Edition vC.3 ant... • http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.0.diff • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 13%CPEs: 220EXPL: 5CVE-2009-4055
https://notcve.org/view.php?id=CVE-2009-4055
02 Dec 2009 — rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before 1.4.27.1, 1.6.0.x before 1.6.0.19, and 1.6.1.x before 1.6.1.11; Business Edition B.x.x before B.2.5.13, C.2.x.x before C.2.4.6, and C.3.x.x before C.3.2.3; and s800i 1.3.x before 1.3.0.6 allows remote attackers to cause a denial of service (daemon crash) via an RTP comfort noise payload with a long data length. rtp.c en Asterisk Open Source v1.2.x anterior a v1.2.37, v1.4.x anterior a v1.4.27.1, v1.6.0.x anterior a v1.6.0.19, y v1.6.1.x anterio... • http://downloads.asterisk.org/pub/security/AST-2009-010-1.2.diff.txt •
CVSS: 5.3EPSS: 1%CPEs: 215EXPL: 0CVE-2009-3727
https://notcve.org/view.php?id=CVE-2009-3727
10 Nov 2009 — Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Diges... • http://downloads.asterisk.org/pub/security/AST-2009-008.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 2%CPEs: 9EXPL: 1CVE-2009-2726
https://notcve.org/view.php?id=CVE-2009-2726
12 Aug 2009 — The SIP channel driver in Asterisk Open Source 1.2.x before 1.2.34, 1.4.x before 1.4.26.1, 1.6.0.x before 1.6.0.12, and 1.6.1.x before 1.6.1.4; Asterisk Business Edition A.x.x, B.x.x before B.2.5.9, C.2.x before C.2.4.1, and C.3.x before C.3.1; and Asterisk Appliance s800i 1.2.x before 1.3.0.3 does not use a maximum width when invoking sscanf style functions, which allows remote attackers to cause a denial of service (stack memory consumption) via SIP packets containing large sequences of ASCII decimal char... • http://downloads.digium.com/pub/security/AST-2009-005.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 2%CPEs: 30EXPL: 0CVE-2009-0871
https://notcve.org/view.php?id=CVE-2009-0871
11 Mar 2009 — The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6.0 before 1.6.0.6; 1.6.1 before 1.6.1.0-rc2; and Asterisk Business Edition C.2.3, with the pedantic option enabled, allows remote authenticated users to cause a denial of service (crash) via a SIP INVITE request without any headers, which triggers a NULL pointer dereference in the (1) sip_uri_headers_cmp and (2) sip_uri_params_cmp functions. El controlador de canal SIP en Asterisk Open Source v1.4.22, v1.4.23, y v1.4.23.1; v1.6.... • http://bugs.digium.com/view.php?id=13547 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 96%CPEs: 108EXPL: 3CVE-2008-3263 – Asterisk 1.6 IAX - 'POKE' Requests Remote Denial of Service
https://notcve.org/view.php?id=CVE-2008-3263
22 Jul 2008 — The IAX2 protocol implementation in Asterisk Open Source 1.0.x, 1.2.x before 1.2.30, and 1.4.x before 1.4.21.2; Business Edition A.x.x, B.x.x before B.2.5.4, and C.x.x before C.1.10.3; AsteriskNOW; Appliance Developer Kit 0.x.x; and s800i 1.0.x before 1.2.0.1 allows remote attackers to cause a denial of service (call-number exhaustion and CPU consumption) by quickly sending a large number of IAX2 (IAX) POKE requests. La implementación del protocolo IAX2 en Asterisk Open Source versiones 1.0.x, versiones 1.2... • https://www.exploit-db.com/exploits/32095 • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 2%CPEs: 6EXPL: 0CVE-2007-6171
https://notcve.org/view.php?id=CVE-2007-6171
30 Nov 2007 — SQL injection vulnerability in the Postgres Realtime Engine (res_config_pgsql) in Asterisk 1.4.x before 1.4.15 and C.x before C.1.0-beta6 allows remote attackers to execute arbitrary SQL commands via unknown vectors. Vulnerabilidad de inyección SQL en Postgres Realtime Engine (res_config_pgsql) de Asterisk 1.4.x anterior a 1.4.15 y C.x before C.1.0-beta6 permite a atacantes remotos ejecutar comandos SQL de su elección mediante vectores desconocidos. • http://downloads.digium.com/pub/security/AST-2007-025.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 10EXPL: 0CVE-2007-6170
https://notcve.org/view.php?id=CVE-2007-6170
30 Nov 2007 — SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments. Vulnerabilidad de inyección SQL en el motor de registro Call Detail Record Postgres (cdr_pgsql) de Asterisk 1.4.x anterior a 1.4.15, 1.2.x anterior a 1.2.25, B.x anterior a B.2.3.4, y C.x anterior a C.1.0-beta6 permit... • http://downloads.digium.com/pub/security/AST-2007-026.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 96%CPEs: 36EXPL: 1CVE-2007-3764 – Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service
https://notcve.org/view.php?id=CVE-2007-3764
18 Jul 2007 — The Skinny channel driver (chan_skinny) in Asterisk before 1.2.22 and 1.4.x before 1.4.8, Business Edition before B.2.2.1, AsteriskNOW before beta7, Appliance Developer Kit before 0.5.0, and s800i before 1.0.2 allows remote attackers to cause a denial of service (crash) via a certain data length value in a crafted packet, which results in an "overly large memcpy." El controlador de canal Skinny (chan_skinny) en Asterisk anterior a 1.2.22 y 1.4.x anterior a 1.4.8, Business Edition anterior a B.2.2.1, Asteris... • https://www.exploit-db.com/exploits/4196 •