CVE-2020-37153

CRITICAL

ASTPP 4.0.1 - XSS, Command Injection

Title source: llm

Description

ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with root permissions through cron task manipulation.

Exploits (1)

exploitdb WORKING POC

by Fabien AUNAY · textremotelinux

https://www.exploit-db.com/exploits/47889

View Code ZIP pw:eip

References (4)

[Various Sources] https://github.com/iNextrix/ASTPP

[Various Sources] https://www.astppbilling.org/

[Third Party Advisory] https://www.vulncheck.com/advisories/astpp-voip-remote-code-execution

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/47889

Scores

CVSS v3 9.8

EPSS 0.0018

EPSS Percentile 38.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (1)

inextrix/astpp 4.0.1

Published Feb 11, 2026

Tracked Since Feb 18, 2026