CVE-2021-41408

An attacker can send a crafted HTTP request to the "api.php" endpoint with a malicious "user" parameter containing SQL injection payloads [ref_id=1]. The application fails to sanitize or parameterize this user-supplied input before incorporating it into SQL queries. This allows the attacker to execute arbitrary SQL commands against the backend database, potentially extracting sensitive data, modifying records, or escalating privileges. The attack requires network access to the VoIPmonitor WEB GUI and no authentication is mentioned as a prerequisite.

The vulnerability resides in the "api.php" file, specifically in the handling of the "user" parameter [ref_id=1]. The changelog entry "harden task validation and guard undefined searchId in API" indicates the API endpoint lacked proper input sanitization, allowing SQL injection through the user parameter.

The advisory does not provide a specific patch diff, but the changelog indicates the fix involved hardening task validation and guarding undefined searchId in the API [ref_id=1]. The remediation likely includes adding input sanitization, parameterized queries, or prepared statements for the "user" parameter in api.php to prevent SQL injection. Users should upgrade to the latest version of VoIPmonitor WEB GUI to receive the security fix.