PT-2019-13568 · Alcatel Lucent Enterprise · Alcatel-Lucent Enterprise (Ale) 8008 Cloud Edition Deskphone

Publicado

2019-08-01

Atualizado

2020-08-24

CVE-2019-14260

CVSS v3.1

8.0

Alta

Vetor

AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Alcatel-Lucent Enterprise (ALE) 8008 Cloud Edition Deskphone VoIP phone version 1.50.13

Description A command injection issue due to missing input validation in the password change field of the Change Password interface allows an authenticated remote attacker in the same network to execute OS commands via shell commands in a POST request to the "Change Password" interface, specifically through the password change field.

Recommendations For version 1.50.13, consider restricting access to the Change Password interface until a patch is available, and avoid using the password change field with unvalidated input to minimize the risk of exploitation.

Exploit

Correção

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78

Identificadores relacionados

CVE-2019-14260

Produtos afetados

Alcatel-Lucent Enterprise (Ale) 8008 Cloud Edition Deskphone

PT-2019-13568 · Alcatel Lucent Enterprise · Alcatel-Lucent Enterprise (Ale) 8008 Cloud Edition Deskphone

CVE-2019-14260

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 3