Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Polycom Subscribe
Total 39 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-41322 1 Polycom 4 Vvx 400, Vvx 400 Firmware, Vvx 410 and 1 more 2021-11-28 6.5 MEDIUM 8.8 HIGH
Poly VVX 400/410 5.3.1 allows low-privileged users to change the Admin password by modifying a POST parameter to 120 during the password reset process.
CVE-2018-18566 1 Polycom 5 Unified Communications Software, Vvx 500, Vvx 500 Firmware and 2 more 2021-06-15 5.0 MEDIUM 5.3 MEDIUM
The SIP service in Polycom VVX 500 and 601 devices 5.8.0.12848 and earlier allow remote attackers to obtain sensitive phone configuration information by leveraging use with an on-premise installation with Skype for Business.
CVE-2018-18568 1 Polycom 5 Unified Communications Software, Vvx 500, Vvx 500 Firmware and 2 more 2021-06-15 4.3 MEDIUM 5.9 MEDIUM
Polycom VVX 500 and 601 devices 5.8.0.12848 and earlier allows man-in-the-middle attackers to obtain sensitive credential information by leveraging failure to validate X.509 certificates when used with an on-premise installation with Skype for Business.
CVE-2019-14259 1 Polycom 2 Obihai Obi1022, Obihai Obi1022 Firmware 2020-08-24 7.7 HIGH 8.0 HIGH
On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection (missing input validation) issue in the NTP server IP address field for the "Time Service Settings web" interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request.
CVE-2018-10946 1 Polycom 2 Realpresence Debut, Realpresence Debut Firmware 2020-08-24 2.7 LOW 6.8 MEDIUM
An issue was discovered in versions earlier than 1.3.0-66872 for Polycom RealPresence Debut that allows attackers to arbitrarily read the admin user's password via the admin web UI.
CVE-2019-11355 1 Polycom 1 Hdx System Software 2020-03-18 9.0 HIGH 7.2 HIGH
An issue was discovered in Poly (formerly Polycom) HDX 3.1.13. A feature exists that allows the creation of a server / client certificate, or the upload of the user certificate, on the administrator's page. The value received from the user is the factor value of a shell script on the equipment. By entering a special character (such as a single quote) in a CN or other CSR field, one can insert a command into a factor value. A system command can be executed as root.
CVE-2012-6611 1 Polycom 12 Hdx 4002, Hdx 4500, Hdx 6000 and 9 more 2020-02-14 10.0 HIGH 9.8 CRITICAL
An issue was discovered in Polycom Web Management Interface G3/HDX 8000 HD with Durango 2.6.0 4740 software and embedded Polycom Linux Development Platform 2.14.g3. It has a blank administrative password by default, and can be successfully used without setting this password.
CVE-2012-6610 1 Polycom 3 Hdx 8000, Hdx Video End Points, Uc Apl 2020-02-04 9.0 HIGH 8.8 HIGH
Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote authenticated users to execute arbitrary commands as demonstrated by a ; (semicolon) to the ping command feature.
CVE-2012-6609 1 Polycom 3 Hdx 8000, Hdx Video End Points, Uc Apl 2020-02-04 5.0 MEDIUM 7.5 HIGH
Directory traversal vulnerability in a_getlog.cgi in Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote attackers to read arbitrary files via a .. (dot dot) in the name parameter.
CVE-2018-14934 1 Polycom 2 Trio 8500, Trio 8500 Firmware 2019-10-02 3.3 LOW 6.5 MEDIUM
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone.
CVE-2019-12948 1 Polycom 54 C12, C16, C8 and 51 more 2019-08-06 6.5 MEDIUM 8.3 HIGH
A vulnerability in the web-based management interface of VVX, Trio, SoundStructure, SoundPoint, and SoundStation phones running Polycom UC Software, if exploited, could allow an authenticated, remote attacker with admin privileges to cause a denial of service (DoS) condition or execute arbitrary code.
CVE-2019-10689 1 Polycom 2 Better Together Over Ethernet Connector, Unified Communications Software 2019-06-27 3.3 LOW 6.5 MEDIUM
VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information.
CVE-2018-10947 1 Polycom 2 Realpresence Debut, Realpresence Debut Firmware 2019-06-17 2.9 LOW 3.1 LOW
An issue was discovered in versions earlier than 1.3.2 for Polycom RealPresence Debut where the admin cookie is reset only after a Debut is rebooted.
CVE-2019-10688 1 Polycom 2 Better Together Over Ethernet Connector, Unified Communications Software 2019-06-17 4.6 MEDIUM 6.8 MEDIUM
VVX products with software versions including and prior to, UCS 5.9.2 with Better Together over Ethernet Connector (BToE) application 3.9.1, use hard-coded credentials to establish connections between the host application and the device.
CVE-2018-15128 1 Polycom 3 Group Series, Hdx, Pano 2019-05-14 10.0 HIGH 9.8 CRITICAL
An issue was discovered in Polycom Group Series 6.1.6.1 and earlier, HDX 3.1.12 and earlier, and Pano 1.1.1 and earlier. A remote code execution vulnerability exists in the content sharing functionality because of a Buffer Overflow via crafted packets.
CVE-2018-14935 1 Polycom 2 Trio 8500, Trio 8500 Firmware 2018-12-17 4.3 MEDIUM 6.1 MEDIUM
The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.
CVE-2015-4684 1 Polycom 1 Realpresence Resource Manager 2018-10-09 5.5 MEDIUM 6.5 MEDIUM
Multiple directory traversal vulnerabilities in Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allow (1) remote authenticated users to read arbitrary files via a .. (dot dot) in the Modifier parameter to PlcmRmWeb/FileDownload; or remote authenticated administrators to upload arbitrary files via the (2) Filename or (3) SE_FNAME parameter to PlcmRmWeb/FileUpload or to read and remove arbitrary files via the (4) filePathName parameter in an importSipUriReservations SOAP request to PlcmRmWeb/JUserManager.
CVE-2015-4681 1 Polycom 1 Realpresence Resource Manager 2018-10-09 7.2 HIGH 7.8 HIGH
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users to have unspecified impact via vectors related to weak passwords.
CVE-2015-4682 1 Polycom 1 Realpresence Resource Manager 2018-10-09 4.0 MEDIUM 6.5 MEDIUM
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows remote authenticated users to obtain the installation path via an HTTP POST request to PlcmRmWeb/JConfigManager.
CVE-2015-4683 1 Polycom 1 Realpresence Resource Manager 2018-10-09 7.5 HIGH 9.8 CRITICAL
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows attackers to obtain sensitive information and potentially gain privileges by leveraging use of session identifiers as parameters with HTTP GET requests.