CVE-2022-36780 - Vulnerability Details - OpenCVE

Description

Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number.

Published: 2022-09-13

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Avdor CIS

crystal quality

affected

Version	Status	Constraints
`Update to the latest version`	affected	< unspecified

Configuration 1 [-]

cpe:2.3:a:avdorcis:crystal_quality:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update to the latest version.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-39480	Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00187.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.gov.il/en/Departments/faq/cve_advisories

History

No history.

Subscriptions

Avdorcis Crystal Quality

MITRE

Status: PUBLISHED

Assigner: INCD

Published: 2022-09-13T14:57:56.413Z

Updated: 2024-09-17T02:36:24.508Z

Reserved: 2022-07-26T00:00:00.000Z

Link: CVE-2022-36780

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-13T15:15:08.667

Modified: 2024-11-21T07:13:41.950

Link: CVE-2022-36780

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-306

{"containers": {"cna": {"affected": [{"product": "crystal quality", "vendor": "Avdor CIS", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "Update to the latest version", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Dudu Moyal - Sophtix Security LTD."}], "datePublic": "2022-09-11T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Credentials Management Errors", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-13T14:57:56.000Z", "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "shortName": "INCD"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "solutions": [{"lang": "en", "value": "Update to the latest version."}], "source": {"defect": ["ILVN-2022-0051"], "discovery": "EXTERNAL"}, "title": "Avdor CIS - crystal quality Credentials Management Errors", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@cyber.gov.il", "DATE_PUBLIC": "2022-09-11T05:45:00.000Z", "ID": "CVE-2022-36780", "STATE": "PUBLIC", "TITLE": "Avdor CIS - crystal quality Credentials Management Errors"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "crystal quality", "version": {"version_data": [{"version_affected": ">=", "version_value": "Update to the latest version"}]}}]}, "vendor_name": "Avdor CIS"}]}}, "credit": [{"lang": "eng", "value": "Dudu Moyal - Sophtix Security LTD."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Credentials Management Errors"}]}]}, "references": {"reference_data": [{"name": "https://www.gov.il/en/Departments/faq/cve_advisories", "refsource": "MISC", "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}]}, "solution": [{"lang": "en", "value": "Update to the latest version."}], "source": {"defect": ["ILVN-2022-0051"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:14:28.327Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}]}]}, "cveMetadata": {"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "assignerShortName": "INCD", "cveId": "CVE-2022-36780", "datePublished": "2022-09-13T14:57:56.413Z", "dateReserved": "2022-07-26T00:00:00.000Z", "dateUpdated": "2024-09-17T02:36:24.508Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avdorcis:crystal_quality:-:*:*:*:*:*:*:*", "matchCriteriaId": "B48A54B0-CE93-4B18-A440-247F4662FA26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number."}, {"lang": "es", "value": "Avdor CIS - crystal quality. Errores de Administraci\u00f3n de Credenciales. El producto es un grabador de llamadas telef\u00f3nicas, pueden escucharse todas las llamadas grabadas sin autenticarse en el sistema. El atacante env\u00eda una URL dise\u00f1ada al sistema: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id del n\u00famero grabado"}], "id": "CVE-2022-36780", "lastModified": "2024-11-21T07:13:41.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 3.4, "source": "cna@cyber.gov.il", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-13T15:15:08.667", "references": [{"source": "cna@cyber.gov.il", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "sourceIdentifier": "cna@cyber.gov.il", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}