ID
VAR-201910-1677
CVE
CVE-2019-12148
TITLE
Sangoma Session Border Controller Authentication vulnerability
Trust: 0.8
DESCRIPTION
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin web portal without providing any credentials. This affects /var/webconfig/gui/Webconfig.inc.php. Sangoma Technologies SBC is a Border Session Controller (SBC) from Sangoma Technologies of Canada. Sangoma Technologies SBC 2.3.23-119-GA version has a parameter injection vulnerability. An attacker can use this vulnerability to bypass authentication and log in as a non-existent user, and obtain full access to the database, including the creation of authorized users
Trust: 2.16
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | sangoma | model: | session border controller | scope: | eq | version: | 2.3.23-119-ga | Trust: 1.0 |
| vendor: | sangoma | model: | session border controller | scope: | eq | version: | 2.3.23-119 ga | Trust: 0.8 |
| vendor: | sangoma | model: | sbc 2.3.23-119-ga | scope: | - | version: | - | Trust: 0.6 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-88 | Trust: 1.0 |
| problemtype: | CWE-287 | Trust: 0.8 |
THREAT TYPE
remote
Trust: 0.6
TYPE
parameter injection
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | Session Border Controllers | url: | https://www.sangoma.com/voip-security/session-border-controllers/ | Trust: 0.8 |
| title: | Patch for Sangoma Technologies SBC Parameter Injection Vulnerability | url: | https://www.cnvd.org.cn/patchInfo/show/187531 | Trust: 0.6 |
| title: | Sangoma Technologies SBC Remediation measures for authorization problem vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=101248 | Trust: 0.6 |
EXTERNAL IDS
| db: | PACKETSTORM | id: | 154915 | Trust: 3.0 |
| db: | NVD | id: | CVE-2019-12148 | Trust: 3.0 |
| db: | JVNDB | id: | JVNDB-2019-011392 | Trust: 0.8 |
| db: | CNVD | id: | CNVD-2019-37730 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-201910-1234 | Trust: 0.6 |
REFERENCES
| url: | http://packetstormsecurity.com/files/154915/sangoma-sbc-2.3.23-119-ga-authentication-bypass.html | Trust: 3.6 |
| url: | http://seclists.org/fulldisclosure/2019/oct/41 | Trust: 1.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2019-12148 | Trust: 1.4 |
| url: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12148 | Trust: 0.8 |
CREDITS
Appsecco Security Team
Trust: 0.6
SOURCES
| db: | CNVD | id: | CNVD-2019-37730 |
| db: | JVNDB | id: | JVNDB-2019-011392 |
| db: | CNNVD | id: | CNNVD-201910-1234 |
| db: | NVD | id: | CVE-2019-12148 |
LAST UPDATE DATE
2024-11-23T22:21:24.905000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2019-37730 | date: | 2019-10-29T00:00:00 |
| db: | JVNDB | id: | JVNDB-2019-011392 | date: | 2019-11-06T00:00:00 |
| db: | CNNVD | id: | CNNVD-201910-1234 | date: | 2020-09-02T00:00:00 |
| db: | NVD | id: | CVE-2019-12148 | date: | 2024-11-21T04:22:18.840 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2019-37730 | date: | 2019-10-29T00:00:00 |
| db: | JVNDB | id: | JVNDB-2019-011392 | date: | 2019-11-06T00:00:00 |
| db: | CNNVD | id: | CNNVD-201910-1234 | date: | 2019-10-18T00:00:00 |
| db: | NVD | id: | CVE-2019-12148 | date: | 2019-10-22T16:15:10.797 |