Vulnerability CVE-2012-1417


Published: 2014-09-17

Description:
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Yealink VOIP Phone Cross Site Scripting
Narendra Shinde
14.03.2012

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Yealink -> Gigabit color ip phone sip-t32g 
Yealink -> Gigabit color ip phone sip-t38g 
Yealink -> Ip phone sip-t19p 
Yealink -> Ip phone sip-t20p 
Yealink -> Ip phone sip-t21p 
Yealink -> Ip phone sip-t22p 
Yealink -> Ip phone sip-t26p 
Yealink -> Ip phone sip-t28p 
Yealink -> Ip video phone vp530 
Yealink -> Ultra-elegant ip phone sip-t41p 
Yealink -> Ultra-elegant ip phone sip-t42g 
Yealink -> Ultra-elegant ip phone sip-t46g 
Yealink -> Ultra-elegant ip phone sip-t48g 
Yealink -> W52P 

 References:
http://xforce.iss.net/xforce/xfdb/73573
http://www.securityfocus.com/bid/52209
http://www.osvdb.org/79675
http://www.exploit-db.com/exploits/18540
http://secunia.com/advisories/48194
http://packetstormsecurity.org/files/110320/yealink-xss.txt
http://archives.neohapsis.com/archives/bugtraq/2012-03/0056.html

Copyright 2024, cxsecurity.com

 

Back to Top