[CVE-2014-5335] CSRF in Innovaphone PBX

Innovaphone PBX Admin-GUI CSRF Impact: High CVSS2 Score: 7.8 (AV:N/AC:M/Au:S/C:P/I:C/A:C/E:F/RL:U/RC:C) Announced: August 21, 2014 Reporter: Rainer Giedat (NSIDE ATTACK LOGIC GmbH, https://www.nsideattacklogic.de/) Products: Innovaphone PBX Administration GUI Affected Versions: all known versions (tested 10.00 sr11) CVE-id: CVE-2014-5335 Summary The innovaphone PBX is a powerful and sophisticated VoIP telephone system for use in professional business environments. In addition to a wide range of IP telephony functionalities, the innovaphone PBX is also equipped with a perfectly integrated Unified Communications solution that can be enabled as needed at any time and at any workspace. The innovaphone PBX uses a web-based user interface. This UI is vulnerable to cross-site request forgery attacks (CSRF). Description The UI does not check if a request was sent…
mehr lesen