CVE-2014-9563

Name of the Vulnerable Software and Affected Versions Unify OpenStage SIP and OpenScape Desk Phone IP V3 devices versions prior to R3.32.0

Description The issue concerns a CRLF injection vulnerability in the web-based management interface of the affected devices. This vulnerability allows remote authenticated users to modify the root password, which can lead to unauthorized access to the debug port using the serial interface. The vulnerability is exploited via the ssh-password parameter to the "page.cmd" endpoint.

Recommendations For versions prior to R3.32.0, update to version R3.32.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the web-based management interface and the serial interface to minimize the risk of exploitation. Avoid using the ssh-password parameter in the affected API endpoint until the issue is resolved.