Sign-up

ID

VAR-201904-0707


CVE

CVE-2018-16220


TITLE

AudioCodes 405HD VoIP phone Firmware cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-015339

DESCRIPTION

Cross Site Scripting in different input fields (domain field and personal settings) in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an attacker (local or remote) to inject JavaScript into the web interface of the device by manipulating the phone book entries or manipulating the domain name sent to the device from the domain controller. AudioCodes 405HD VoIP phone The firmware contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. AudioCodes 405HD VoIP Phone is an IP phone product of Israel AudioCodes company. The vulnerability stems from the lack of correct verification of client data by the WEB application. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2018-16220 // JVNDB: JVNDB-2018-015339 // VULHUB: VHN-126558

AFFECTED PRODUCTS

vendor:audiocodesmodel:405hdscope:eqversion:2.2.12

Trust: 1.8

sources: JVNDB: JVNDB-2018-015339 // NVD: CVE-2018-16220

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-16220
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-16220
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201904-1191
value: MEDIUM

Trust: 0.6

VULHUB: VHN-126558
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-16220
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-126558
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-16220
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-126558 // JVNDB: JVNDB-2018-015339 // CNNVD: CNNVD-201904-1191 // NVD: CVE-2018-16220

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-126558 // JVNDB: JVNDB-2018-015339 // NVD: CVE-2018-16220

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-1191

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201904-1191

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015339

PATCH
title:405HD IP Phoneurl:https://www.audiocodes.com/solutions-products/products/ip-phones/405hd-ip-phone
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-015339

EXTERNAL IDS
db:NVDid:CVE-2018-16220
Trust: 2.5
db:JVNDBid:JVNDB-2018-015339
Trust: 0.8
db:CNNVDid:CNNVD-201904-1191
Trust: 0.7
db:VULHUBid:VHN-126558
Trust: 0.1
sources:
            
            
            VULHUB: VHN-126558 // 
            
            
            
            JVNDB: JVNDB-2018-015339 // 
            
            
            
            CNNVD: CNNVD-201904-1191 // 
            
            
            
            NVD: CVE-2018-16220

REFERENCES
url:https://www.sit.fraunhofer.de/fileadmin/dokumente/cve/advisory_audiocodes_405hd.pdf
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-16220
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16220
Trust: 0.8
sources:
            
            
            VULHUB: VHN-126558 // 
            
            
            
            JVNDB: JVNDB-2018-015339 // 
            
            
            
            CNNVD: CNNVD-201904-1191 // 
            
            
            
            NVD: CVE-2018-16220

SOURCES
db:VULHUBid:VHN-126558
db:JVNDBid:JVNDB-2018-015339
db:CNNVDid:CNNVD-201904-1191
db:NVDid:CVE-2018-16220

LAST UPDATE DATE
2024-11-23T21:59:59.972000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-126558date:2019-04-26T00:00:00
db:JVNDBid:JVNDB-2018-015339date:2019-05-28T00:00:00
db:CNNVDid:CNNVD-201904-1191date:2019-04-28T00:00:00
db:NVDid:CVE-2018-16220date:2024-11-21T03:52:18.473

SOURCES RELEASE DATE
db:VULHUBid:VHN-126558date:2019-04-25T00:00:00
db:JVNDBid:JVNDB-2018-015339date:2019-05-28T00:00:00
db:CNNVDid:CNNVD-201904-1191date:2019-04-25T00:00:00
db:NVDid:CVE-2018-16220date:2019-04-25T20:29:01.913