CVE-2026-23738
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks in Asterisk's web interface. Attackers can inject malicious scripts via cookies or GET parameters, which execute when users visit the /httpstatus endpoint. Organizations running vulnerable Asterisk versions with web interface access are affected.
💻 Affected Systems
- Asterisk
📦 What is this software?
Asterisk by Sangoma
Asterisk by Sangoma
Asterisk by Sangoma
Asterisk by Sangoma
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites.
Likely Case
Session hijacking or credential theft against administrators accessing the web interface.
If Mitigated
Limited impact if web interface is not exposed or uses additional security controls like WAF.
🎯 Exploit Status
Exploitation requires user interaction (visiting crafted /httpstatus URL) but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2 depending on branch
Vendor Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh
Restart Required: Yes
Instructions:
1. Identify your Asterisk version. 2. Upgrade to patched version matching your branch. 3. Restart Asterisk service. 4. Verify fix by checking version.
🔧 Temporary Workarounds
Disable web interface
allDisable Asterisk's built-in HTTP server if not needed
Edit asterisk.conf: httpenabled=no
Restart Asterisk: asterisk -rx 'core restart now'
Restrict access to web interface
linuxUse firewall rules to limit access to trusted IPs only
iptables -A INPUT -p tcp --dport 8088 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8088 -j DROP
🧯 If You Can't Patch
- Implement web application firewall (WAF) with XSS protection rules
- Disable or restrict access to /httpstatus endpoint via reverse proxy configuration
🔍 How to Verify
Check if Vulnerable:
Check Asterisk version and compare with affected versions. Access web interface to see if /httpstatus endpoint exists.Check Version:
asterisk -rx 'core show version'Verify Fix Applied:
Verify Asterisk version is patched and test /httpstatus endpoint with XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /httpstatus with encoded script tags
- Multiple failed XSS attempts in web logs
Network Indicators:
- HTTP requests containing script tags or encoded payloads to /httpstatus endpoint
SIEM Query:
source="asterisk_http.log" AND uri="/httpstatus" AND (payload="<script>" OR payload="%3Cscript%3E")