PT-2019-13568 · Alcatel Lucent Enterprise · Alcatel-Lucent Enterprise (Ale) 8008 Cloud Edition Deskphone
Published
2019-08-01
·
Updated
2020-08-24
·
CVE-2019-14260
CVSS v3.1
8.0
High
| Vector | AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Alcatel-Lucent Enterprise (ALE) 8008 Cloud Edition Deskphone VoIP phone version 1.50.13
Description
A command injection issue due to missing input validation in the password change field of the Change Password interface allows an authenticated remote attacker in the same network to execute OS commands via shell commands in a POST request to the "Change Password" interface, specifically through the password change field.
Recommendations
For version 1.50.13, consider restricting access to the Change Password interface until a patch is available, and avoid using the password change field with unvalidated input to minimize the risk of exploitation.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alcatel-Lucent Enterprise (Ale) 8008 Cloud Edition Deskphone