CVE-2023-25356

Name of the Vulnerable Software and Affected Versions CoreDial sipXcom versions up to and including 21.04

Description The issue is related to Improper Neutralization of Argument Delimiters in a Command, allowing XMPP users to inject arbitrary arguments into a system command. This can be used to read files from and write files to the sipXcom server, and can also be leveraged to gain remote command execution. The vulnerability is associated with the modification or injection of arguments in the initializePlugin function of the sipXopenfirepresence-pluginsrcorgsipfoundryopenfirepluginpresenceSipXOpenfirePlugin.java file.

Recommendations For CoreDial sipXcom versions up to and including 21.04, consider disabling the initializePlugin function as a temporary workaround until a patch is available. Restrict access to the presence-plugin to minimize the risk of exploitation. Avoid using the XMPP protocol until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.