PT-2026-6747 · Asterisk · Asterisk
Thattotallyrealmyth
·
Published
2026-01-01
·
Updated
2026-02-06
·
CVE-2026-23738
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Asterisk versions prior to 20.7-cert9
Asterisk versions prior to 20.18.2
Asterisk versions prior to 21.12.1
Asterisk versions prior to 22.8.2
Asterisk versions prior to 23.2.2
Description
Asterisk is a private branch exchange and telephony toolkit. User-controlled values from Cookies and GET query parameters are directly inserted into HTML pages using the
ast str append function. The /httpstatus endpoint is potentially vulnerable. This can lead to the injection of user-supplied data into the HTML output.Recommendations
Update to Asterisk version 20.7-cert9 or later.
Update to Asterisk version 20.18.2 or later.
Update to Asterisk version 21.12.1 or later.
Update to Asterisk version 22.8.2 or later.
Update to Asterisk version 23.2.2 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Asterisk