CVE-2023-25356

HIGH

CoreDial sipXcom <=21.04 - Command Injection

Title source: llm

Description

CoreDial sipXcom up to and including 21.04 is vulnerable to Improper Neutralization of Argument Delimiters in a Command. XMPP users are able to inject arbitrary arguments into a system command, which can be used to read files from, and write files to, the sipXcom server. This can also be leveraged to gain remote command execution.

References (1)

[Exploit, Mailing List, Third Party Advisory] https://seclists.org/fulldisclosure/2023/Mar/5

Scores

CVSS v3 8.8

EPSS 0.2012

EPSS Percentile 95.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-88

Status published

Affected Products (1)

coredial/sipxcom < 21.04

Timeline

Published Apr 04, 2023

Tracked Since Feb 18, 2026