CVE-2021-40845

Name of the Vulnerable Software and Affected Versions Zenitel AlphaCom XE Audio Server versions through 11.2.3.10

Description The web part of Zenitel AlphaCom XE Audio Server, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at "php/index.php". Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory.

Recommendations For versions through 11.2.3.10, consider restricting access to the Custom Scripts section at "php/index.php" to minimize the risk of exploitation. As a temporary workaround, consider disabling the execution of PHP code under the /cmd directory until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.