CVE-2022-24262

An attacker with access to the config restore functionality uploads a crafted archive (e.g., a ZIP or tar file) containing a PHP file. Because the restore function does not check the contents of the archive before extracting it into the web root [ref_id=1], the attacker's file is placed in a web-accessible directory. The attacker then requests that file via HTTP, causing the server to execute arbitrary PHP commands.

The config restore function in the VoIPmonitor GUI (before v24.96) does not validate files sent as restore archives. The advisory does not specify exact file paths or function names, but the vulnerability lies in the archive extraction logic that places files into the web root without sanitization.

The changelog for v24.96 does not explicitly describe a patch for this specific vulnerability [ref_id=1]. The advisory indicates the issue was fixed in v24.96, but no diff or remediation details are provided in the available reference. Users should upgrade to VoIPmonitor GUI v24.96 or later to receive the fix.