Main Vulnerability Database Vulnerabilities #VU19308

Cross-site request forgery in AudioCodes products - CVE-2019-9231

Published: July 23, 2019

Vulnerability identifier: #VU19308

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-9231

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AudioCodes Mediant 800C-MSBR
AudioCodes Mediant M800B-MSBR
AudioCodes Mediant 500-MBSR
AudioCodes Mediant 500L-MSBR

Software vendor:
AudioCodes

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists in the management web interface due to the CSRF protection is not activated by default. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Remediation

Install updates from vendor's website and activate the CSRF protection. The option could be enabled only by the upload of a ini file with the parameter "CSRFProtection=1".

External links

https://www.cirosec.de/fileadmin/1._Unternehmen/1.4._Unsere_Kompetenzen/Security_Advisory_AudioCodes_Mediant_family.pdf

Cross-site request forgery in AudioCodes products - CVE-2019-9231

Description

Remediation

External links

Please verify you're human