CVE-2019-12328

A command injection (missing input validation) issue in the remote phonebook configuration URI in the web interface of the Atcom A10W VoIP phone with firmware 2.6.1a2421 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:atcom:a10w_firmware:2.6.1a2421:*:*:*:*:*:*:*
cpe:2.3:h:atcom:a10w:-:*:*:*:*:*:*:*

History

21 Nov 2024, 04:22

Type Values Removed Values Added
References () https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Atcom_A10W.pdf - Exploit, Mitigation, Third Party Advisory () https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Atcom_A10W.pdf - Exploit, Mitigation, Third Party Advisory
CVSS v2 : 9.0
v3 : 8.8
v2 : 9.0
v3 : 9.0

Information

Published : 2019-07-22 18:15

Updated : 2024-11-21 04:22


NVD link : CVE-2019-12328

Mitre link : CVE-2019-12328

CVE.ORG link : CVE-2019-12328


JSON object : View

Products Affected

atcom

  • a10w
  • a10w_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')