A command injection (missing input validation) issue in the remote phonebook configuration URI in the web interface of the Atcom A10W VoIP phone with firmware 2.6.1a2421 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request.
References
Link | Resource |
---|---|
https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Atcom_A10W.pdf | Exploit Mitigation Third Party Advisory |
https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Atcom_A10W.pdf | Exploit Mitigation Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 04:22
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Atcom_A10W.pdf - Exploit, Mitigation, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 9.0
v3 : 9.0 |
Information
Published : 2019-07-22 18:15
Updated : 2024-11-21 04:22
NVD link : CVE-2019-12328
Mitre link : CVE-2019-12328
CVE.ORG link : CVE-2019-12328
JSON object : View
Products Affected
atcom
- a10w
- a10w_firmware
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')