Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2026-23738

Опубликовано: 06 фев. 2026
Источник: nvd
CVSS3: 3.5
CVSS3: 6.1
EPSS Низкий

Описание

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия до 20.18.2 (включая)
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия от 21.0.0 (включая) до 21.12.1 (включая)
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия от 22.0.0 (включая) до 22.8.2 (включая)
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия от 23.0.0 (включая) до 23.2.2 (исключая)
cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*
Версия до 18.9 (включая)
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert7:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert8:*:*:*:*:*:*

EPSS

Процентиль: 22%
0.00072
Низкий

3.5 Low

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

ubuntu логотип

CVE-2026-23738

CVSS3: 3.5
ubuntu
около 2 месяцев назад

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

debian логотип

CVE-2026-23738

CVSS3: 3.5
debian
около 2 месяцев назад

Asterisk is an open source private branch exchange and telephony toolk ...

EPSS

Процентиль: 22%
0.00072
Низкий

3.5 Low

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79