Description
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
Published: 2026-02-06
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Asterisk exposes a flaw in its embedded web interface at the "/httpstatus" endpoint where values supplied via cookies and GET query parameters are written directly into the returned HTML page using the unsafe ast_str_append function. Because no sanitization or escaping is performed, an attacker can inject arbitrary HTML or JavaScript that will execute in the victim's browser when the page is viewed. This client‑side code execution can lead to session hijacking, credential theft, or further compromise of the web server, making it a classic XSS vulnerability. The impact is limited to the browser context of users who load the page; it does not provide direct remote code execution or access to the underlying Asterisk instance.

Affected Systems

The affected product is Asterisk, the open source telephony toolkit. Vendor Sangoma distributes both the community edition and certified releases. All versions prior to 20.7‑cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2 contain the flaw. Those fixed releases contain sanitization logic to prevent the injection of uncontrolled content into the /httpstatus page.

Risk and Exploitability

The CVSS score of 3.5 indicates low overall severity, and the EPSS score of less than 1 % suggests that exploitation attempts are currently rare. The vulnerability is not listed in the CISA Known Exploited Vulnerability catalog. Attackers would need to send a crafted URL or cookie to a user who accesses the /httpstatus page, which is typically not exposed publicly. If the embedded web server is reachable over the internet, the risk rises because any authenticated or unauthenticated user could be forced to load the page and thus be subject to XSS. The primary resolution therefore is to update the software so that input values are properly escaped before rendering.

Generated by OpenCVE AI on April 17, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Asterisk to any fixed version (20.7‑cert9 or later for certified releases, 20.18.2, 21.12.1, 22.8.2, or 23.2.2 for the open‑source edition).
  • If an upgrade is not immediately possible, restrict external network access to the embedded web server or block the "/httpstatus" endpoint using firewall or host‑based access controls so that only trusted local systems can reach it.
  • Consider disabling the embedded web server entirely or limiting its authentication mechanisms if it is not required for your deployment, thereby reducing the attack surface that can deliver client‑side code.

Generated by OpenCVE AI on April 17, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4515-1 asterisk security update
History

Wed, 18 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Sangoma
Sangoma asterisk
Sangoma certified Asterisk
CPEs cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert7:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert8:*:*:*:*:*:*
Vendors & Products Sangoma
Sangoma asterisk
Sangoma certified Asterisk

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Asterisk
Asterisk asterisk
Vendors & Products Asterisk
Asterisk asterisk

Fri, 06 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
Title The Asterisk embedded web server 's /httpstatus page echos user supplied values(cookie and query string) without sanitization
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Asterisk Asterisk
Sangoma Asterisk Certified Asterisk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T17:44:20.480Z

Reserved: 2026-01-15T15:45:01.957Z

Link: CVE-2026-23738

cve-icon Vulnrichment

Updated: 2026-02-06T17:44:13.843Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T17:16:26.000

Modified: 2026-02-18T18:42:48.877

Link: CVE-2026-23738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses