CVE-2022-36780

Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.5 / Impact : 3.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.gov.il/en/Departments/faq/cve_advisories	Exploit Third Party Advisory VDB Entry
https://www.gov.il/en/Departments/faq/cve_advisories	Exploit Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:avdorcis:crystal_quality:-:*:*:*:*:*:*:*

History

21 Nov 2024, 07:13

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.3~~	v2 : unknown v3 : 4.9
References	~~() https://www.gov.il/en/Departments/faq/cve_advisories - Exploit, Third Party Advisory, VDB Entry~~	() https://www.gov.il/en/Departments/faq/cve_advisories - Exploit, Third Party Advisory, VDB Entry

08 Aug 2023, 14:22

Type	Values Removed	Values Added
CWE	~~CWE-668~~	CWE-306

16 Sep 2022, 02:34

Type	Values Removed	Values Added
CPE		cpe:2.3:a:avdorcis:crystal_quality:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
References	~~(MISC) https://www.gov.il/en/Departments/faq/cve_advisories -~~	(MISC) https://www.gov.il/en/Departments/faq/cve_advisories - Exploit, Third Party Advisory, VDB Entry
CWE		CWE-668

13 Sep 2022, 15:45

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-13 15:15

Updated : 2024-11-21 07:13

NVD link : CVE-2022-36780

Mitre link : CVE-2022-36780

CVE.ORG link : CVE-2022-36780

JSON object : View

Products Affected

avdorcis

crystal_quality

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2022-36780", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@cyber.gov.il", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-09-13T15:15:08.667", "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cna@cyber.gov.il"}, {"url": "https://www.gov.il/en/Departments/faq/cve_advisories", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number."}, {"lang": "es", "value": "Avdor CIS - crystal quality. Errores de Administraci\u00f3n de Credenciales. El producto es un grabador de llamadas telef\u00f3nicas, pueden escucharse todas las llamadas grabadas sin autenticarse en el sistema. El atacante env\u00eda una URL dise\u00f1ada al sistema: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id del n\u00famero grabado"}], "lastModified": "2024-11-21T07:13:41.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:avdorcis:crystal_quality:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B48A54B0-CE93-4B18-A440-247F4662FA26"}], "operator": "OR"}]}], "sourceIdentifier": "cna@cyber.gov.il"}