CVE-2018-16216
Summary
| CVE | CVE-2018-16216 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-04-25 20:29:00 UTC |
| Updated | 2019-10-03 00:03:00 UTC |
| Description | A command injection (missing input validation, escaping) in the monitoring or memory status web interface in AudioCodes 405HD (firmware 2.2.12) VoIP phone allows an authenticated remote attacker in the same network as the device to trigger OS commands (like starting telnetd or opening a reverse shell) via a POST request to the web server. In combination with another attack (unauthenticated password change), the attacker can circumvent the authentication requirement. |
Risk And Classification
Problem Types: CWE-78
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Audiocodes | 405hd | - | All | All | All |
| Hardware | Audiocodes | 405hd | - | All | All | All |
| Operating System | Audiocodes | 405hd Firmware | 2.2.12 | All | All | All |
| Operating System | Audiocodes | 405hd Firmware | 2.2.12 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_AudioCodes_405HD.pdf | MISC | www.sit.fraunhofer.de | Exploit, Mitigation, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.