CVE-2019-12148

Name of the Vulnerable Software and Affected Versions Sangoma Session Border Controller (SBC) version 2.3.23-119 GA

Description The issue allows for an authentication bypass via an argument injection vulnerability involving special characters in the username field. This enables a remote unauthenticated user to log in to the device's admin web portal without providing any credentials. The vulnerability affects the /var/webconfig/gui/Webconfig.inc.php file, specifically the web interface.

Recommendations For Sangoma Session Border Controller (SBC) version 2.3.23-119 GA, as a temporary workaround, consider restricting access to the web interface or limiting the use of special characters in the username field until a patch is available. Additionally, avoid using the username field with special characters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.