CVE-2021-30461

Name of the Vulnerable Software and Affected Versions VoIPmonitor versions prior to 24.61

Description A remote code execution issue was discovered in the web UI of VoIPmonitor. The issue is related to incorrect management of code generation in the config/configuration.php component. When the recheck option is used, the user-supplied SPOOLDIR value, which might contain PHP code, is injected into config/configuration.php. This allows a remote attacker to execute arbitrary PHP code.

Recommendations For versions prior to 24.61, update to version 24.61 or later to resolve the issue. As a temporary workaround, consider restricting access to the config/configuration.php file to minimize the risk of exploitation. Avoid using the SPOOLDIR value in the affected web UI until the issue is resolved.