Heyder Andrade

Name of the Vulnerable Software and Affected Versions: Polycom Web Management Interface G3/HDX 8000 HD with Durango version 2.6.0 4740 Polycom Linux Development Platform version 2.14.g3 Description: The issue is related to a default blank administrative password in the Polycom Web Management Interface, which can be used without setting a password. Recommendations: For Polycom Web Management Interface G3/HDX 8000 HD with Durango version 2.6.0 4740, set a strong administrative password to prevent unauthorized access. For Polycom Linux Development Platform version 2.14.g3, configure a secure administrative password to mitigate the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Polycom HDX Video End Points versions prior to 3.0.4 Polycom UC APL versions prior to 2.7.1.J Description: The issue allows remote attackers to read arbitrary files via a .. (dot dot) in the `name` parameter of the a getlog.cgi endpoint. This is a directory traversal vulnerability. Recommendations: For Polycom HDX Video End Points versions prior to 3.0.4, update to version 3.0.4 or later. For Polycom UC APL versions prior to 2.7.1.J, update to version 2.7.1.J or later. As a temporary workaround, consider restricting access to the a getlog.cgi endpoint until a patch is available. Avoid using the `name` parameter with .. (dot dot) sequences in the a getlog.cgi endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Polycom HDX Video End Points versions prior to 3.0.4 UC APL versions prior to 2.7.1.J Description: The issue allows remote authenticated users to execute arbitrary commands. This can be demonstrated by appending a semicolon to the ping command feature, which enables the execution of additional commands. Recommendations: For Polycom HDX Video End Points versions prior to 3.0.4, update to version 3.0.4 or later to resolve the issue. For UC APL versions prior to 2.7.1.J, update to version 2.7.1.J or later to resolve the issue. As a temporary workaround, consider restricting access to the ping command feature to minimize the risk of exploitation.