Riyaz Walikar

**Name of the Vulnerable Software and Affected Versions** Sangoma Session Border Controller (SBC) version 2.3.23-119 GA **Description** The issue allows for an authentication bypass via an argument injection vulnerability involving special characters in the `username` field. This enables a remote unauthenticated user to log in to the device's admin web portal without providing any credentials. The vulnerability affects the `/var/webconfig/gui/Webconfig.inc.php` file, specifically the web interface. **Recommendations** For Sangoma Session Border Controller (SBC) version 2.3.23-119 GA, as a temporary workaround, consider restricting access to the web interface or limiting the use of special characters in the `username` field until a patch is available. Additionally, avoid using the `username` field with special characters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.