A path traversal vulnerability exists in the Karel IP1211 IP Phone's web management panel. The /cgi-bin/cgiServer.exx endpoint fails to properly sanitize user input to the page parameter, allowing remote authenticated attackers to access arbitrary files on the underlying system by using crafted path traversal sequences (e.g., ../../). This can expose sensitive files such as /etc/passwd and /etc/shadow.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
| Link | Tags |
|---|---|
| https://web.archive.org/web/20201020023943/https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon | product |
| https://cxsecurity.com/issue/WLB-2020100038 | third party advisory exploit |
| https://www.exploit-db.com/exploits/48857 | third party advisory exploit |
| https://vulncheck.com/advisories/selea-targa-ip-camera-path-traversal | third party advisory |