Critical security vulnerabilities have been uncovered in VoIPmonitor software that, if successfully exploited, could allow unauthenticated attackers to escalate privileges to the administrator level and execute arbitrary commands.
Following responsible disclosure by researchers from Kerbit, an Ethiopia-based penetration-testing and vulnerability research firm, on December 15, 2021, the issues were addressed in version 24.97 of the WEB GUI shipped on January 11, 2022.
“[F]ix critical vulnerabilities – new SQL injects for unauthenticated users allowing gaining admin privileges,” the maintainers of VoIPmonitor noted in the change log.
VoIPmonitor is an open-source network packet sniffer with commercial frontend for SIP RTP and RTCP VoIP protocols running on Linux, allowing users to monitor and troubleshoot quality of SIP VoIP calls as well as decode, play, and archive calls in a CDR database.
images from Hacker News