CVE-2019-14260
Last modified
CVE-2019-14260 is a vulnerability of currently unknown severity. On the Alcatel-Lucent Enterprise (ALE) 8008 Cloud Edition Deskphone VoIP phone with firmware 1.50.13, a command injection (missing input validation) issue in the password change field for the Change Password interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request.. EPSS estimates a 2.80% chance of exploitation in the next 30 days.
Description
On the Alcatel-Lucent Enterprise (ALE) 8008 Cloud Edition Deskphone VoIP phone with firmware 1.50.13, a command injection (missing input validation) issue in the password change field for the Change Password interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Al-Enterprise | 8008 Firmware | 1.50.13 |
References
- https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Alcatel_8008CloudEditionDeskPhone.pdf?_=1559026340Exploit, Third Party Advisory
- https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Alcatel_8008CloudEditionDeskPhone.pdf?_=1559026340Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-14260?
How severe is CVE-2019-14260?
How do I fix CVE-2019-14260?
Are you affected by CVE-2019-14260?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST