CVE-2019-11355

Name of the Vulnerable Software and Affected Versions Poly (formerly Polycom) HDX version 3.1.13

Description An issue exists in the administrator's page, where a feature allows the creation or upload of server/client certificates. The user-input value is used in a shell script on the equipment, and by entering a special character, such as a single quote, in a CN or other CSR field, a command can be inserted into a factor value. This allows a system command to be executed as root.

Recommendations For Poly (formerly Polycom) HDX version 3.1.13, consider restricting access to the certificate creation and upload feature on the administrator's page until a fix is available. As a temporary workaround, avoid using special characters in CN or CSR fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.