Vulnerability Description
The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zenitel | Alphacom Xe Audio Server | <= 11.2.3.10 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/164149/Zenitel-AlphaCom-XE-Audio-Server-11.Third Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/164160/Zenitel-AlphaCom-XE-Audio-Server-11.ExploitThird Party AdvisoryVDB Entry
- https://github.com/ricardojoserf/CVE-2021-40845ExploitThird Party Advisory
- https://ricardojoserf.github.io/CVE-2021-40845/ExploitThird Party Advisory
- http://packetstormsecurity.com/files/164149/Zenitel-AlphaCom-XE-Audio-Server-11.Third Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/164160/Zenitel-AlphaCom-XE-Audio-Server-11.ExploitThird Party AdvisoryVDB Entry
- https://github.com/ricardojoserf/CVE-2021-40845ExploitThird Party Advisory
- https://ricardojoserf.github.io/CVE-2021-40845/ExploitThird Party Advisory
FAQ
What is CVE-2021-40845?
CVE-2021-40845 is a vulnerability with a CVSS score of 8.8 (HIGH). The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension ...
How severe is CVE-2021-40845?
CVE-2021-40845 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-40845?
Check the references section above for vendor advisories and patch information. Affected products include: Zenitel Alphacom Xe Audio Server.