CVE-2007-6424

critical

Description

registry.pl in Fonality Trixbox 2.0 PBX products, when running in certain environments, reads and executes a set of commands from a remote web site without sufficiently validating the origin of the commands, which allows remote attackers to disable trixbox and execute arbitrary commands via a DNS spoofing attack.

References

http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home

http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002533.html

http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002528.html

http://voipsa.org/pipermail/voipsec_voipsa.org/2007-December/002522.html

http://voipsa.org/blog/2007/12/17/trixbox-contains-phone-home-code-to-retrieve-arbitrary-commands-to-execute/

http://osvdb.org/44136

Details

Source: Mitre, NVD

Published: 2007-12-18

Updated: 2024-02-14

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical