216.73.217.22

CVE-2013-10043

· Published 31/07/2025 15:15 · Modified 31/07/2025 18:42

Labels: CVE-2013-10043 2025-07-31CVE-2013-10043CWE-89[email protected]

Essential information

Published
31/07/2025 15:15
Modified
31/07/2025 18:42
Author
Creator
CVSS
9.5 CRITICAL (v3) 9.5 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

A vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier, where improper input validation in the logon.php script allows an attacker to bypass authentication via SQL injection. Once authenticated as an administrator, the attacker can upload arbitrary PHP code through the importcompany field in import.php, resulting in remote code execution. The malicious payload is injected into /usr/local/astium/web/php/config.php and executed with root privileges by triggering a configuration reload via sudo /sbin/service astcfgd reload. Successful exploitation leads to full system compromise.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
oastium / astium confweb cpe:2.3:a:oastium:astium_confweb:<2.1-25399:*:*:*:*:*:*:*

References