CVE-2018-0341

EPSS 2.66%
Veröffentlicht 16.07.2018 17:29:00
Zuletzt bearbeitet 21.11.2024 03:38:01
Quelle psirt@cisco.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in the web-based UI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware before 11.2(1) could allow an authenticated, remote attacker to perform a command injection and execute commands with the privileges of the web server. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including arbitrary shell commands in a specific user input field. Cisco Bug IDs: CSCvi51426.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Ip Phone Multiplatform Firmware Version11.1(2)

   Cisco ≫ Ip Phone 6841 Version-
   Cisco ≫ Ip Phone 6851 Version-
   Cisco ≫ Ip Phone 7811 Version-
   Cisco ≫ Ip Phone 7821 Version-
   Cisco ≫ Ip Phone 7841 Version-
   Cisco ≫ Ip Phone 7861 Version-
   Cisco ≫ Ip Phone 8811 Version-
   Cisco ≫ Ip Phone 8841 Version-
   Cisco ≫ Ip Phone 8845 Version-
   Cisco ≫ Ip Phone 8851 Version-
   Cisco ≫ Ip Phone 8861 Version-
   Cisco ≫ Ip Phone 8865 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.66%	0.852

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://www.securityfocus.com/bid/104731

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1041285

Third Party Advisory

VDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-phone-webui-inject

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-0341

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-0341

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-0341

EUVD