CVE-2013-4468

Name of the Vulnerable Software and Affected Versions VICIDIAL dialer (aka Asterisk GUI client) versions 2.8-403a, 2.7, 2.7RC1, and earlier

Description The issue allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to "manager send.php" API endpoint.

Recommendations For versions 2.8-403a, 2.7, 2.7RC1, and earlier, consider restricting access to the "manager send.php" API endpoint until a fix is available. As a temporary workaround, avoid using shell metacharacters in the extension parameter to minimize the risk of exploitation.