CVE-2019-14259 — HIGH (8.0)

Vulnerability Description

On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection (missing input validation) issue in the NTP server IP address field for the "Time Service Settings web" interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request.

CVSS Score

8.0

HIGH

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Polycom	Obihai Obi1022 Firmware	5.1.11
Polycom	Obihai Obi1022	-

Related Weaknesses (CWE)

CWE-78

References

https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Obihai_Obi1002.pdExploitThird Party Advisory
https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Obihai_Obi1002.pdExploitThird Party Advisory

FAQ

What is CVE-2019-14259?

CVE-2019-14259 is a vulnerability with a CVSS score of 8.0 (HIGH). On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection (missing input validation) issue in the NTP server IP address field for the "Time Service Settings web" interface all...

How severe is CVE-2019-14259?

CVE-2019-14259 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-14259?

Check the references section above for vendor advisories and patch information. Affected products include: Polycom Obihai Obi1022 Firmware, Polycom Obihai Obi1022.