平台
asterisk
组件
asterisk
修复版本
23.2.3
22.8.3
21.12.2
20.18.3
20.7.1
CVE-2026-23738 describes a Cross-Site Scripting (XSS) vulnerability affecting Asterisk versions up to and including 23.2.2. This vulnerability allows attackers to inject malicious scripts into the Asterisk HTTP status page, potentially leading to session hijacking or defacement. The vulnerability stems from improper handling of user-controlled input in the /httpstatus endpoint, specifically Cookies and GET query parameters. A patch is available in version 23.2.3.
Successful exploitation of CVE-2026-23738 allows an attacker to inject arbitrary JavaScript code into the Asterisk HTTP status page. This can be leveraged to steal user session cookies, redirect users to malicious websites, or deface the page. The impact is amplified if the Asterisk server is publicly accessible or integrated with other systems, as the attacker could potentially gain access to sensitive data or compromise the entire network. While the CVSS score is LOW, the ease of exploitation and potential for lateral movement make this a significant concern, particularly in environments with limited security controls.
CVE-2026-23738 was publicly disclosed on 2026-02-06. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation. This vulnerability does not appear to be listed on the CISA KEV catalog.
Organizations running Asterisk for VoIP services, particularly those with publicly accessible Asterisk servers or those using default configurations, are at risk. Shared hosting environments where multiple users share an Asterisk instance are also vulnerable.
• linux / server:
journalctl -u asterisk | grep -i 'httpstatus'• generic web:
curl -I http://<asterisk_ip>/httpstatus | grep -i 'set-cookie'• generic web:
curl 'http://<asterisk_ip>/httpstatus?param=<script>alert(1)</script>' -s | grep '<script>'disclosure
漏洞利用状态
EPSS
0.05% (15% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-23738 is to upgrade Asterisk to version 23.2.3 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out malicious input in Cookies and GET parameters targeting the /httpstatus endpoint. Input validation on the server-side can also help prevent the injection of malicious scripts. Regularly review Asterisk configuration to ensure the /httpstatus endpoint is not publicly accessible if not required.
Actualice Asterisk a la versión 20.7-cert9, 20.18.2, 21.12.1, 22.8.2 o 23.2.2, o a una versión posterior. Esto corregirá la vulnerabilidad de Cross-Site Scripting (XSS) en la página /httpstatus del servidor web integrado.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-23738 is a Cross-Site Scripting (XSS) vulnerability in Asterisk versions up to 23.2.2, allowing attackers to inject malicious scripts via the /httpstatus endpoint.
You are affected if you are running Asterisk versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2 or earlier. Upgrade to 23.2.3 or later to mitigate the risk.
Upgrade Asterisk to version 23.2.3 or later. As a temporary workaround, implement a WAF rule to filter malicious input on the /httpstatus endpoint.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official Asterisk security advisory for details: [https://www.asterisk.org/security-advisories/]