Asterisk
Moderate fix5 remedies
cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*, +1 more
Moderate fix5 remedies
- <= 23.2.1
- <= 22.8.1
- <= 21.12.0
- <= 20.18.1
- <= 20.7-cert8
Asterisk Cross-Site Scripting Vulnerability via Unescaped HTTP GET Parameters and Cookies
Vulnerability
Patched
A cross-site scripting vulnerability has been identified in Asterisk, an open-source private branch exchange and telephony toolkit. This issue affects versions through 23.2.1, 22.8.1, 21.12.0, 20.18.1, and 20.7-cert8. The vulnerability arises because user-supplied values from cookies and GET query parameters are directly inserted into the HTML of the '/httpstatus' page without proper sanitization. This unsanitized interpolation, facilitated by the 'ast_str_append' function, creates an opportunity for cross-site scripting attacks, as well as the potential to exploit other vulnerabilities related to credential or token theft and cross-site request forgery.
Impact
Exploitation of this vulnerability allows for cross-site scripting, with the possibility of chaining attacks to steal credentials or tokens, and exploit cross-site request forgery vulnerabilities.
Remediation
Users can upgrade to Asterisk versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2 to address this vulnerability.
Added: Feb 6, 2026, 5:25 PM
Updated: Feb 6, 2026, 11:05 PM
Vulnerability Rating
Custom Algorithm
spread
6.8impact
1.7exploitability
6.0remediation
7.7relevance
2.8threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.