CVE-2002-0670

The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 uses Base64 encoded usernames and passwords for HTTP basic authentication, which allows remote attackers to steal and easily decode the passwords via sniffing.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.atstake.com/research/advisories/2002/a071202-1.txt
http://www.iss.net/security_center/static/9565.php
http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:h:pingtel:xpressa:1.2.5:::::::*
	cpe:2.3:h:pingtel:xpressa:1.2.7.4:::::::*

History

No history.

Information

Published : 2002-07-23 04:00

Updated : 2008-09-05 20:28

NVD link : CVE-2002-0670

Mitre link : CVE-2002-0670

CVE.ORG link : CVE-2002-0670

JSON object : View

Products Affected

pingtel

xpressa

CWE

NVD-CWE-Other

{"id": "CVE-2002-0670", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2002-07-23T04:00:00.000", "references": [{"url": "http://www.atstake.com/research/advisories/2002/a071202-1.txt", "source": "cve@mitre.org"}, {"url": "http://www.iss.net/security_center/static/9565.php", "source": "cve@mitre.org"}, {"url": "http://www.pingtel.com/PingtelAtStakeAdvisoryResponse.jsp", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 uses Base64 encoded usernames and passwords for HTTP basic authentication, which allows remote attackers to steal and easily decode the passwords via sniffing."}, {"lang": "es", "value": "El interfaz web de la telefon\u00eda basada en voz sobre IP dePingtel xpressa SIP desde la versi\u00f3n 1.2.5 hasta la 1.2.7.4, utiliza nombres de usuario y contrase\u00f1as cifradas en Base64 para autenticaci\u00f3n b\u00e1sica en HTTP, lo cual permite a atacantes remotos en robo y la f\u00e1cil decodificaci\u00f3n de contrase\u00f1as mediante la intercepci\u00f3n de informaci\u00f3n que navega por la red ('sniffing')."}], "lastModified": "2008-09-05T20:28:38.227", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:pingtel:xpressa:1.2.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5362ACDC-DA8B-4DA7-BEE3-C30083CD715D"}, {"criteria": "cpe:2.3:h:pingtel:xpressa:1.2.7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F08D9EF-49D8-44CC-B33D-4EF416E80F62"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}