Ricardo J. Ruiz Fernández

**Name of the Vulnerable Software and Affected Versions** Zenitel AlphaCom XE Audio Server versions through 11.2.3.10 **Description** The web part of Zenitel AlphaCom XE Audio Server, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at "php/index.php". Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory. **Recommendations** For versions through 11.2.3.10, consider restricting access to the Custom Scripts section at "php/index.php" to minimize the risk of exploitation. As a temporary workaround, consider disabling the execution of PHP code under the /cmd directory until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.