CVE-2018-19977

Name of the Vulnerable Software and Affected Versions Auerswald COMfort 1200 IP phone version 3.4.4.1-10589

Description The issue is related to a command injection due to missing input validation and escaping in the ftp upgrade configuration interface. This allows an authenticated remote attacker in the same network as the device to trigger OS commands, such as starting telnetd or opening a reverse shell, via a POST request to the web server.

Recommendations For Auerswald COMfort 1200 IP phone version 3.4.4.1-10589, consider restricting access to the ftp upgrade configuration interface until a patch is available. As a temporary workaround, limit the ability to send POST requests to the web server from unauthorized sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.