CVE-2019-12324

A command injection (missing input validation) issue in the IP address field for the logging server in the configuration web interface on the Akuvox R50P VoIP phone with firmware 50.0.6.156 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:akuvox:sp-r50p_firmware:50.0.6.156:*:*:*:*:*:*:*
cpe:2.3:h:akuvox:sp-r50p:-:*:*:*:*:*:*:*

History

21 Nov 2024, 04:22

Type Values Removed Values Added
References () https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Akuvox_R50P.pdf - Exploit, Third Party Advisory () https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Akuvox_R50P.pdf - Exploit, Third Party Advisory

Information

Published : 2019-07-22 16:15

Updated : 2024-11-21 04:22


NVD link : CVE-2019-12324

Mitre link : CVE-2019-12324

CVE.ORG link : CVE-2019-12324


JSON object : View

Products Affected

akuvox

  • sp-r50p
  • sp-r50p_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')