Cross-Site Scripting Vulnerabilities in Yealink VOIP Phones
CVE-2012-1417

Currently unrated

Key Information:

Vendor: Yealink
Status: Ip Phone Sip-t19p; Ultra-elegant Ip Phone Sip-t41p; Ultra-elegant Ip Phone Sip-t48g; Gigabit Color Ip Phone Sip-t32g
Vendor: CVE Published:; 17 September 2014

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2012-1417?

The Yealink VOIP Phones are susceptible to multiple cross-site scripting vulnerabilities within the Local Phone book and Blacklist form. This allows remote authenticated users to inject arbitrary web scripts or HTML via the user field to cgi-bin/ConfigManApp.com. These vulnerabilities can potentially lead to unauthorized actions being performed on behalf of the affected users, thereby emphasizing the need for stringent security measures and timely updates to mitigate such risks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2012-1417 - Proof of Concept

References

http://www.securityfocus.com/bid/52209

vdb-entryx_refsource_BID

http://www.osvdb.org/79675

vdb-entryx_refsource_OSVDB

https://exchange.xforce.ibmcloud.com/vulnerabilities/73573

vdb-entryx_refsource_XF

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Sep 17, 2014
👾
Exploit known to exist
Sep 17, 2014
Vulnerability published
Sep 17, 2014
Vulnerability Reserved
Feb 28, 2012

CVE-2012-1417 Data

JSON