Sign-up

ID

VAR-201908-0895


CVE

CVE-2019-14260


TITLE

Alcatel-Lucent Enterprise 8008 Cloud Edition Deskphone VoIP phone Command injection vulnerability in some firmware

Trust: 0.8

sources: JVNDB: JVNDB-2019-007413

DESCRIPTION

On the Alcatel-Lucent Enterprise (ALE) 8008 Cloud Edition Deskphone VoIP phone with firmware 1.50.13, a command injection (missing input validation) issue in the password change field for the Change Password interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request. ALE 8008 Cloud Edition Deskphone VoIP is a cloud-based desktop IP phone from ALE, France. This vulnerability originates from the network system or The product did not properly filter the special elements, and an attacker could use this vulnerability to execute illegal commands

Trust: 2.25

sources: NVD: CVE-2019-14260 // JVNDB: JVNDB-2019-007413 // CNVD: CNVD-2019-42770 // VULHUB: VHN-146189

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-42770

AFFECTED PRODUCTS

vendor:almodel:8008scope:eqversion:1.50.13

Trust: 1.0

vendor:alcatel lucentmodel:8008 cloud edition deskphonescope:eqversion:1.50.13

Trust: 0.8

vendor:alemodel:cloud edition deskphone voipscope:eqversion:80081.50.13

Trust: 0.6

sources: CNVD: CNVD-2019-42770 // JVNDB: JVNDB-2019-007413 // NVD: CVE-2019-14260

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-14260
value: HIGH

Trust: 1.0

NVD: CVE-2019-14260
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-42770
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201908-160
value: HIGH

Trust: 0.6

VULHUB: VHN-146189
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-14260
severity: HIGH
baseScore: 7.7
vectorString: AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 5.1
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-42770
severity: HIGH
baseScore: 7.7
vectorString: AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 5.1
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-146189
severity: HIGH
baseScore: 7.7
vectorString: AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 5.1
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-14260
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-42770 // VULHUB: VHN-146189 // JVNDB: JVNDB-2019-007413 // CNNVD: CNNVD-201908-160 // NVD: CVE-2019-14260

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-146189 // JVNDB: JVNDB-2019-007413 // NVD: CVE-2019-14260

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201908-160

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201908-160

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-007413

PATCH
title:Cloud Edition DeskPhonesurl:https://www.al-enterprise.com/en/products/devices/cloud-edition-deskphones
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-007413

EXTERNAL IDS
db:NVDid:CVE-2019-14260
Trust: 3.1
db:JVNDBid:JVNDB-2019-007413
Trust: 0.8
db:CNNVDid:CNNVD-201908-160
Trust: 0.7
db:CNVDid:CNVD-2019-42770
Trust: 0.6
db:VULHUBid:VHN-146189
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-42770 // 
            
            
            
            VULHUB: VHN-146189 // 
            
            
            
            JVNDB: JVNDB-2019-007413 // 
            
            
            
            CNNVD: CNNVD-201908-160 // 
            
            
            
            NVD: CVE-2019-14260

REFERENCES
url:https://www.sit.fraunhofer.de/fileadmin/dokumente/cve/advisory_alcatel_8008cloudeditiondeskphone.pdf?_=1559026340
Trust: 3.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-14260
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14260
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-42770 // 
            
            
            
            VULHUB: VHN-146189 // 
            
            
            
            JVNDB: JVNDB-2019-007413 // 
            
            
            
            CNNVD: CNNVD-201908-160 // 
            
            
            
            NVD: CVE-2019-14260

SOURCES
db:CNVDid:CNVD-2019-42770
db:VULHUBid:VHN-146189
db:JVNDBid:JVNDB-2019-007413
db:CNNVDid:CNNVD-201908-160
db:NVDid:CVE-2019-14260

LAST UPDATE DATE
2024-11-23T22:16:55.369000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-42770date:2019-11-29T00:00:00
db:VULHUBid:VHN-146189date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-007413date:2019-08-09T00:00:00
db:CNNVDid:CNNVD-201908-160date:2020-10-28T00:00:00
db:NVDid:CVE-2019-14260date:2024-11-21T04:26:19.043

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-42770date:2019-11-29T00:00:00
db:VULHUBid:VHN-146189date:2019-08-01T00:00:00
db:JVNDBid:JVNDB-2019-007413date:2019-08-09T00:00:00
db:CNNVDid:CNNVD-201908-160date:2019-08-01T00:00:00
db:NVDid:CVE-2019-14260date:2019-08-01T20:15:11.273