Executive Summary
Summary | |
---|---|
Title | LifeSize Room appliance authentication bypass and arbitrary code injection vulnerability |
Informations | |||
---|---|---|---|
Name | VU#213486 | First vendor Publication | 2011-08-29 |
Vendor | VU-CERT | Last vendor Modification | 2011-10-19 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#213486LifeSize Room appliance authentication bypass and arbitrary code injection vulnerabilityOverviewLifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients.I. DescriptionAccording to LifeSize's website"LifeSize Roomcombines an immersive, high definition video experience with a rich set of features to deliver a powerful, flexible, and easy-to-use video communication solution."The LifeSize Room appliance contains an embedded web interface that allows administrative access to the appliance. This web interface fails to sanitize input from unauthenticated clients leading to an authentication bypass and possibly arbitrary code injection.
Referenceshttp://www.securestate.com/Documents/LifeSize_Room_Advisory.txt Thanks to Spencer McIntyre of SecureState for reporting this vulnerability. This document was written by Michael Orlando.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/213486 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-287 | Improper Authentication |
50 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
75212 | LifeSize Room Appliance Web Interface gateway.php LSRoom_Remoting.doCommand F... |
75211 | LifeSize Room Appliance Web Interface gateway.php LSRoom_Remoting.authenticat... |