Page 6 of 38 results (0.005 seconds)

CVSS: 3.5EPSS: 2%CPEs: 30EXPL: 0

The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6.0 before 1.6.0.6; 1.6.1 before 1.6.1.0-rc2; and Asterisk Business Edition C.2.3, with the pedantic option enabled, allows remote authenticated users to cause a denial of service (crash) via a SIP INVITE request without any headers, which triggers a NULL pointer dereference in the (1) sip_uri_headers_cmp and (2) sip_uri_params_cmp functions. El controlador de canal SIP en Asterisk Open Source v1.4.22, v1.4.23, y v1.4.23.1; v1.6.0 anterior a v1.6.0.6; v1.6.1 anterior a v1.6.1.0-rc2; y Asterisk Business Edition C.2.3, con la opción "pedantic" activada, permite a usuarios autenticados remotamente provocar una denegación de servicio (caída) a travñes de una petición SIP INVITE sin cabecera, lo que dispara una deferencia a puntero NULL en las funciones (1) sip_uri_headers_cmp y(2) sip_uri_params_cmp. • http://bugs.digium.com/view.php?id=13547 http://bugs.digium.com/view.php?id=14417 http://downloads.digium.com/pub/security/AST-2009-002.html http://osvdb.org/52568 http://secunia.com/advisories/34229 http://www.securityfocus.com/archive/1/501656/100/0/threaded http://www.securityfocus.com/bid/34070 http://www.securitytracker.com/id?1021834 http://www.vupen.com/english/advisories/2009/0667 • CWE-20: Improper Input Validation •

CVSS: 7.8EPSS: 96%CPEs: 108EXPL: 3

The IAX2 protocol implementation in Asterisk Open Source 1.0.x, 1.2.x before 1.2.30, and 1.4.x before 1.4.21.2; Business Edition A.x.x, B.x.x before B.2.5.4, and C.x.x before C.1.10.3; AsteriskNOW; Appliance Developer Kit 0.x.x; and s800i 1.0.x before 1.2.0.1 allows remote attackers to cause a denial of service (call-number exhaustion and CPU consumption) by quickly sending a large number of IAX2 (IAX) POKE requests. La implementación del protocolo IAX2 en Asterisk Open Source versiones 1.0.x, versiones 1.2.x anteriores a 1.2.30 y versiones 1.4.x anteriores a 1.4.21.2; Business Edition versiones A.x.x, versiones B.x.x anteriores a B.2.5.4 y versiones C.x.x anteriores a C.1.10.3; AsteriskNOW; Appliance Developer Kit versiones 0.x.x; y s800i versiones 1.0.x anteriores a 1.2.0.1, permite a los atacantes remotos causar una denegación de servicio (agotamiento del número de llamadas y consumo de CPU) mediante el envío rápido de un gran número de peticiones POKE de IAX2 (IAX). • https://www.exploit-db.com/exploits/32095 http://downloads.digium.com/pub/security/AST-2008-010.html http://downloads.securityfocus.com/vulnerabilities/exploits/30321.pl http://secunia.com/advisories/31178 http://secunia.com/advisories/31194 http://secunia.com/advisories/34982 http://security.gentoo.org/glsa/glsa-200905-01.xml http://www.securityfocus.com/archive/1/494675/100/0/threaded http://www.securityfocus.com/bid/30321 http://www.securitytracker.com/id?1020535 http:// • CWE-399: Resource Management Errors •

CVSS: 9.3EPSS: 3%CPEs: 40EXPL: 0

The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses. El servidor AsteriskGUI HTTP en Asterisk Open Source 1.4.x antes de 1.4.19-rc3 y 1.6.x antes de 1.6.0-beta6, Business Edition C.x.x antes de C.1.6, AsteriskNOW antes de 1.0.2, Appliance Developer Kit antes de la revisión 104704 y s800i 1.0.x antes de 1.1.0.2 genera valores ID de gestión no lo suficientemente aleatorios, lo que facilita a atacantes remotos secuestrar una sesión de gestión a través de una serie de adivinaciones de ID. • http://downloads.digium.com/pub/security/AST-2008-005.html http://secunia.com/advisories/29449 http://secunia.com/advisories/29470 http://securityreason.com/securityalert/3764 http://www.securityfocus.com/archive/1/489819/100/0/threaded http://www.securityfocus.com/bid/28316 http://www.securitytracker.com/id?1019679 https://exchange.xforce.ibmcloud.com/vulnerabilities/41304 https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00438.html https://www.redhat.com/archives/ • CWE-255: Credentials Management Errors •

CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0

SQL injection vulnerability in the Postgres Realtime Engine (res_config_pgsql) in Asterisk 1.4.x before 1.4.15 and C.x before C.1.0-beta6 allows remote attackers to execute arbitrary SQL commands via unknown vectors. Vulnerabilidad de inyección SQL en Postgres Realtime Engine (res_config_pgsql) de Asterisk 1.4.x anterior a 1.4.15 y C.x before C.1.0-beta6 permite a atacantes remotos ejecutar comandos SQL de su elección mediante vectores desconocidos. • http://downloads.digium.com/pub/security/AST-2007-025.html http://osvdb.org/38933 http://secunia.com/advisories/27873 http://securitytracker.com/id?1019021 http://www.securityfocus.com/archive/1/484387/100/0/threaded http://www.securityfocus.com/bid/26645 http://www.vupen.com/english/advisories/2007/4055 https://exchange.xforce.ibmcloud.com/vulnerabilities/38766 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0

SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments. Vulnerabilidad de inyección SQL en el motor de registro Call Detail Record Postgres (cdr_pgsql) de Asterisk 1.4.x anterior a 1.4.15, 1.2.x anterior a 1.2.25, B.x anterior a B.2.3.4, y C.x anterior a C.1.0-beta6 permite a usuarios remotos autenticados ejecutar comandos SQL de su elección mediante los argumentos (1) ANI y (2) DNIS. • http://downloads.digium.com/pub/security/AST-2007-026.html http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/27827 http://secunia.com/advisories/27892 http://secunia.com/advisories/29242 http://secunia.com/advisories/29782 http://security.gentoo.org/glsa/glsa-200804-13.xml http://securitytracker.com/id?1019020 http://www.debian.org/security/2007/dsa-1417 http://www.securityfocus.com/archive/1/484388/100/0/threaded http: • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •