Security advisory - CVE-2019-9230

Cross-site scripting in AudioCodes Mediant family

Affected Products


AudioCodes Mediant family of multi-service business routers (MSBRs) offers service providers a range of all-in-one SOHO, SMB and SME routers combining access, data, voice and security into a single device.[1]
During our research we found a DoS(CVE-2019-9228), a XXS(CVE-2019-9230) and CSRF(CVE-2019-9231) vulnerability. Although we could gain access to quagga VTYs(CVE-2019-9229).



A cross-site scripting (XSS) vulnerability in the search function of the management web interface allows remote attackers to inject arbitrary JS or HTML code via the keyword parameter. This is possible because a wrong content-type header (text/html instead of application/json) is set.

Vulnerable Endpoint


Parameter: keyword


An attacker could load External JavaScript code from a webserver. The the values are converted to uppercase and the length of the URL is limited. The attacker can host a file named "A" and the content alert("XSS");on his webserver and trigger the XSS via the following URL:


The encoding has to be applied for filter evasion.

Affected Versions

F7.20A to F7.20A.253


Update to F7.20A.254 or higher.

Disclosure Timeline

2019/02/14 vendor contacted
2019/02/14 initial vendor response
2019/02/14 vendor informs about start of review process
2019/02/15 vendor requests further details
2019/02/15 further details provided
2019/02/18 vendor informs about detail analysis
2019/02/19 vendor confirmation, planned fixes and roadmap provided
2019/03/01 CVEs assigned
2019/06/28 vendor informs that planned fixes are published