Asterisk Project Security Advisory – AST-2017-006

Asterisk Project Security Advisory – The app_minivm module has an externnotify program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

Link: https://packetstormsecurity.com/files/143972/AST-2017-006.txt