CVE-2023-37599 Scanner
CVE-2023-37599 Scanner - Directory Listing vulnerability in Issabel PBX
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
17 days 2 hours
Scan only one
URL
Toolbox
-
Issabel PBX is an open-source communication software widely used for unified communications in small to medium-sized businesses. It provides a feature-rich platform for managing telephony, voicemail, conferencing, and more. Users depend on it for handling sensitive and business-critical communications securely and efficiently. This product's modular architecture allows users to extend its functionality with additional features. Issabel PBX is especially popular in environments that require customizable, scalable, and cost-effective telephony solutions. Proper configuration and updates are essential to maintaining its security and functionality.
The Directory Listing vulnerability allows unauthorized access to sensitive directories and files within Issabel PBX. This issue arises when the software fails to restrict access to the modules directory properly. Exploiting this vulnerability can expose confidential information to attackers, potentially leading to misuse of the system. It represents a significant security concern for organizations using this software. Addressing this vulnerability is crucial to ensuring the confidentiality and integrity of communication systems. The ease of exploitation makes it a priority for remediation.
This vulnerability can be exploited by sending a crafted HTTP request to the Issabel PBX server. If the modules directory is accessible, attackers can enumerate its contents. The matchers in the scan look for specific keywords in the response body, such as "Index of /modules" and keywords like "issabel," "asterisk_," and "billing_." Additionally, a 200 status code confirms the directory's accessibility. This highlights a lack of adequate directory access controls within the system configuration.
If exploited, the vulnerability can result in unauthorized access to sensitive directories and files. This could allow attackers to gain insights into the system's structure and potentially access files with sensitive configurations or data. Consequently, this could lead to system compromise or further exploitation of the environment. Organizations relying on Issabel PBX may face significant security breaches if this issue is not addressed promptly. The exposure of sensitive information could also result in compliance violations and reputational damage.
REFERENCES
