Asterisk has a unauthorized-access vulnerability. A remote authenticated attacker could obtain information including other user's voicemail recordings via a specially crafted "folder" parameter with the request of "vmail.cgi".
Asterisk version 1.0.9 and prior
Asterisk version 1.2.0-beta1 and prior
A fix is available via CVS.