CVE-2009-4509

TANDBERG Video Communication Server <X4.3 - Auth Bypass

Title source: llm
STIX 2.1

Description

The administrative web console on the TANDBERG Video Communication Server (VCS) before X4.3 uses predictable session cookies in (1) tandberg/web/lib/secure.php and (2) tandberg/web/user/lib/secure.php, which makes it easier for remote attackers to bypass authentication, and execute arbitrary code by loading a custom software update, via a crafted "Cookie: tandberg_login=" HTTP header.

References (4)

Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
http://www.vsecurity.com/resources/advisory/20100409-1
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39275
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/510672/100/0/threaded

Scores

EPSS 0.0453
EPSS Percentile 90.4%

Details

CWE
CWE-94
Status published
Products (10)
vsecurity/tandberg_video_communication_server x1.0.0
vsecurity/tandberg_video_communication_server x1.1.0
vsecurity/tandberg_video_communication_server x1.2.0
vsecurity/tandberg_video_communication_server x2.0.0
vsecurity/tandberg_video_communication_server x2.1.0
vsecurity/tandberg_video_communication_server x3.0.0
vsecurity/tandberg_video_communication_server x3.1.0
vsecurity/tandberg_video_communication_server x4.1.0
vsecurity/tandberg_video_communication_server x4.2.0
vsecurity/tandberg_video_communication_server < x4.2.1
Published Apr 13, 2010
Tracked Since Feb 18, 2026