CVE-2019-12328

A command injection (missing input validation) issue in the remote phonebook configuration URI in the web interface of the Atcom A10W VoIP phone with firmware 2.6.1a2421 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9 CRITICAL
ADJACENT_NETWORK
LOW
LOW
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
mitreCNA
9 CRITICAL
ADJACENT_NETWORK
LOW
LOW
CVSS:3.0/AC:L/AV:A/A:H/C:H/I:H/PR:L/S:C/UI:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
atcoma10w_firmware
2.6.1a2421:a2421
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Atcom_A10W.pdf
https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Atcom_A10W.pdf