{"api_version":"1","generated_at":"2026-04-23T09:50:54+00:00","cve":"CVE-2017-12305","urls":{"html":"https://cve.report/CVE-2017-12305","api":"https://cve.report/api/cve/CVE-2017-12305.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-12305","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-12305"},"summary":{"title":"CVE-2017-12305","description":"A vulnerability in the debug interface of Cisco IP Phone 8800 series could allow an authenticated, local attacker to execute arbitrary commands, aka Debug Shell Command Injection. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting additional command input to the affected parameter in the debug shell. Cisco Bug IDs: CSCvf80034.","state":"PUBLIC","assigner":"psirt@cisco.com","published_at":"2017-11-16 07:29:00","updated_at":"2019-10-09 23:22:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/101869","name":"101869","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Cisco IP Phone 8800 Series CVE-2017-12305 Local Command Injection Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.securitytracker.com/id/1039829","name":"1039829","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Cisco IP Phone 8800 Series Input Validation Flaw Lets Local Users Gain Elevated Privileges - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-ipp","name":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-ipp","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Cisco IP Phone 8800 Series Command Injection Vulnerability in Debug Shell","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-12305","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12305","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"12305","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"cisco","cpe5":"ip_phone_8800_series_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12305","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"cisco","cpe5":"ip_phone_8800_series_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"psirt@cisco.com","ID":"CVE-2017-12305","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Cisco IP Phone 8800 Series","version":{"version_data":[{"version_value":"Cisco IP Phone 8800 Series"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A vulnerability in the debug interface of Cisco IP Phone 8800 series could allow an authenticated, local attacker to execute arbitrary commands, aka Debug Shell Command Injection. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting additional command input to the affected parameter in the debug shell. Cisco Bug IDs: CSCvf80034."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-77"}]}]},"references":{"reference_data":[{"name":"1039829","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1039829"},{"name":"101869","refsource":"BID","url":"http://www.securityfocus.com/bid/101869"},{"name":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-ipp","refsource":"CONFIRM","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-ipp"}]}},"nvd":{"publishedDate":"2017-11-16 07:29:00","lastModifiedDate":"2019-10-09 23:22:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":6.7,"baseSeverity":"MEDIUM"},"exploitabilityScore":0.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:C/I:C/A:C","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":7.2},"severity":"HIGH","exploitabilityScore":3.9,"impactScore":10,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:cisco:ip_phone_8800_series_firmware:*:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"12305","Ordinal":"109453","Title":"CVE-2017-12305","CVE":"CVE-2017-12305","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"12305","Ordinal":"1","NoteData":"A vulnerability in the debug interface of Cisco IP Phone 8800 series could allow an authenticated, local attacker to execute arbitrary commands, aka Debug Shell Command Injection. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting additional command input to the affected parameter in the debug shell. Cisco Bug IDs: CSCvf80034.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"12305","Ordinal":"2","NoteData":"2017-11-16","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"12305","Ordinal":"3","NoteData":"2017-11-18","Type":"Other","Title":"Modified"}]}}}