CVE-2022-36780

Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.gov.il/en/Departments/faq/cve_advisories	Exploit Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:avdorcis:crystal_quality:-:*:*:*:*:*:*:*

History

08 Aug 2023, 14:22

Type	Values Removed	Values Added
CWE	~~CWE-668~~	CWE-306

Information

Published : 2022-09-13 15:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-36780

Mitre link : CVE-2022-36780

CVE.ORG link : CVE-2022-36780

JSON object : View

Products Affected

avdorcis

crystal_quality

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2022-36780", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cna@cyber.gov.il", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.5}]}, "published": "2022-09-13T15:15:08.667", "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cna@cyber.gov.il"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number."}, {"lang": "es", "value": "Avdor CIS - crystal quality. Errores de Administraci\u00f3n de Credenciales. El producto es un grabador de llamadas telef\u00f3nicas, pueden escucharse todas las llamadas grabadas sin autenticarse en el sistema. El atacante env\u00eda una URL dise\u00f1ada al sistema: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id del n\u00famero grabado"}], "lastModified": "2023-08-08T14:22:24.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:avdorcis:crystal_quality:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B48A54B0-CE93-4B18-A440-247F4662FA26"}], "operator": "OR"}]}], "sourceIdentifier": "cna@cyber.gov.il"}