CVE-2019-20029

Name of the Vulnerable Software and Affected Versions Aspire-derived NEC PBXes versions (affected versions not specified) SV8100 versions (affected versions not specified) SV9100 versions (affected versions not specified) SL1100 versions (affected versions not specified) SL2100 versions (affected versions not specified)

Description A privilege escalation issue exists in the WebPro functionality, allowing a specially crafted HTTP POST to cause escalation to a higher privileged account, including an undocumented developer level of access.

Recommendations For Aspire-derived NEC PBXes, consider restricting access to the WebPro functionality until a fix is available. For SV8100, SV9100, SL1100, and SL2100 devices, avoid using the WebPro functionality with untrusted input until the issue is resolved. As a temporary workaround, consider disabling the WebPro functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.