Furkan Göksel

**Name of the Vulnerable Software and Affected Versions** VoIPmonitor versions prior to 24.61 **Description** A remote code execution issue was discovered in the web UI of VoIPmonitor. The issue is related to incorrect management of code generation in the config/configuration.php component. When the recheck option is used, the user-supplied `SPOOLDIR` value, which might contain PHP code, is injected into config/configuration.php. This allows a remote attacker to execute arbitrary PHP code. **Recommendations** For versions prior to 24.61, update to version 24.61 or later to resolve the issue. As a temporary workaround, consider restricting access to the config/configuration.php file to minimize the risk of exploitation. Avoid using the `SPOOLDIR` value in the affected web UI until the issue is resolved.