Home

Description

ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with root permissions through cron task manipulation.

PUBLISHED Reserved 2026-02-03 | Published 2026-02-11 | Updated 2026-02-11 | Assigner VulnCheck




HIGH: 7.7CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

4.0.1
affected

Credits

Fabien AUNAY finder

References

www.exploit-db.com/exploits/47889 (ExploitDB-47889) exploit

www.astppbilling.org/ (ASTPP Official Vendor Homepage) product

github.com/iNextrix/ASTPP (ASTPP GitHub Repository) product

www.vulncheck.com/...sories/astpp-voip-remote-code-execution (VulnCheck Advisory: ASTPP VoIP 4.0.1 - Remote Code Execution) third-party-advisory

cve.org (CVE-2020-37153)

nvd.nist.gov (CVE-2020-37153)

Download JSON