Vulnerability Details : CVE-2016-2364
The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.
Products affected by CVE-2016-2364
- cpe:2.3:a:fonality:fonality:12.6:*:*:*:*:*:*:*
- cpe:2.3:a:fonality:fonality:12.8:*:*:*:*:*:*:*
- cpe:2.3:a:fonality:fonality:14.1i:*:*:*:*:*:*:*
- cpe:2.3:a:fonality:hud_web:*:*:*:*:*:fonality:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-2364
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-2364
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-2364
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-2364
-
http://www.kb.cert.org/vuls/id/754056
VU#754056 - Fonality contains a hard-coded password and embedded SSL private keyThird Party Advisory;US Government Resource
Jump to