11 matches found
CVE-2020-26262
Technical details about CVE-2020-26262 are not publicly provided in the supplied documents; no affected versions or fixes are confirmed here. Monitor for updates from official advisories.
CVE-2020-4067
In coturn, version 4.5.1.3 and earlier contains a vulnerability where the STUN/TURN response buffer is not initialized properly, allowing an attacker to leak information between distinct client connections by querying padding bytes. This is a consequence of an uninitialized memory region in the r...
CVE-2020-6062
CVE-2020-6062 affects coturn’s web server POST handling, where a crafted HTTP POST request can trigger a server crash and denial of service. The connected advisories confirm the same issue across multiple distributions and show the root cause as improper handling of POST requests. Affected produc...
CVE-2020-6061
CVE-2020-6061 affects coturn (CoTURN) web server: a crafted HTTP POST request can trigger a heap out-of-bounds read in the server when parsing POST data, leading to information leaks and misbehavior. The vulnerability is associated with CoTURN 4.5.1.1 and was fixed in updated package releases acr...
CVE-2018-4059
CVE-2018-4059 affects coturn (TURN/STUN server). The issue is an unsafe default configuration: by default the TURN server runs an unauthenticated telnet admin portal on the loopback interface, allowing an attacker with telnet access to gain administrator rights over the TURN server. Impact can in...
CVE-2018-4056
Affected software: coturn (TURN server) with vulnerable administrator web portal, prior to version 4.5.0.9. Issue: SQL injection via a specially crafted username in the login message can bypass authentication and grant access to the administrator web portal (remote via the external interface). Ev...
CVE-2026-27624
Coturn was vulnerable to a bypass of the IPv4-mapped IPv6 loopback/denied-peer-ip checks prior to 4.9.0. The root cause was that three functions in src/client/ns_turn_ioaddr.c did not check IN6_IS_ADDR_V4MAPPED, allowing a CreatePermission/ChannelBind with ::ffff:127.0.0.1 to bypass 127.0.0.0/8 l...
CVE-2018-4058
CVE-2018-4058 affects the TURN server functionality in coTURN prior to 4.5.0.9. The default configuration allows relaying external traffic to the loopback interface of the host, which can give an attacker access to other private services running on that host by initiating a relay with a loopback ...
CVE-2026-43915
CVE-2026-43915 affects Coturn prior to 4.11.0, where the web-admin HTTPS interface vulnerable to a stored XSS via a crafted TURN USERNAME when an allocation is created. An authenticated web-admin user viewing the TURN session list can trigger script execution; in configurations with anonymous acc...
CVE-2026-40613
CVE-2026-40613 affects coturn prior to 4.10.0, where STUN/TURN attribute parsing in ns_turn_msg.c performs unsafe pointer casts from uint8_t* to uint16_t* without alignment checks. On ARM64 (AArch64) with strict alignment, processing crafted STUN messages with odd-aligned attribute boundaries tri...
CVE-2026-43994
CVE-2026-43994 affects coturn before 4.10.0: a stack buffer overflow in decode_oauth_token_gcm() occurs when parsing an attacker-supplied OAuth token’s nonce_len, which is copied directly to a 256-byte stack buffer without bounds checking. Up to 735 bytes of attacker-controlled data may be writte...