CVE-2013-10043
BaseFortify
Publication date: 2025-07-31
Last updated on: 2025-07-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| astium | voip_pbx | 2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier versions. It involves improper input validation in the logon.php script that allows an attacker to bypass authentication using SQL injection. After bypassing authentication, the attacker can upload arbitrary PHP code through the importcompany field in import.php. This code is injected into /usr/local/astium/web/php/config.php and executed with root privileges by triggering a configuration reload, leading to remote code execution and full system compromise.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to an attacker gaining administrative access without proper authentication, uploading and executing arbitrary code with root privileges, and ultimately achieving full system compromise. This means the attacker can control the affected system completely, potentially leading to data theft, service disruption, or further attacks within the network.