Main Vulnerability Database Vulnerabilities #VU22866

Arbitrary file upload in Akuvox R50P - CVE-2019-12326

Published: November 20, 2019

Vulnerability identifier: #VU22866

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2019-12326

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Akuvox R50P

Software vendor:
Akuvox

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to missing file and path validation in the ringtone upload function. A remote authenticated attacker can upload a manipulated ringtone file with an executable payload (shell commands within the file) and trigger code execution.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Akuvox_R50P.pdf

Arbitrary file upload in Akuvox R50P - CVE-2019-12326

Description

Remediation

External links

Please verify you're human