Cross-Site Scripting Vulnerabilities in Yealink VOIP Phones
CVE-2012-1417

Currently unrated

Key Information:

Vendor: Yealink
Status: Ip Phone Sip-t19p; Ultra-elegant Ip Phone Sip-t41p; Ultra-elegant Ip Phone Sip-t48g; Gigabit Color Ip Phone Sip-t32g
Vendor: CVE Published:; 17 September 2014

What is CVE-2012-1417?

The Yealink VOIP Phones are susceptible to multiple cross-site scripting vulnerabilities within the Local Phone book and Blacklist form. This allows remote authenticated users to inject arbitrary web scripts or HTML via the user field to cgi-bin/ConfigManApp.com. These vulnerabilities can potentially lead to unauthorized actions being performed on behalf of the affected users, thereby emphasizing the need for stringent security measures and timely updates to mitigate such risks.

References

http://www.securityfocus.com/bid/52209

vdb-entryx_refsource_BID

http://www.osvdb.org/79675

vdb-entryx_refsource_OSVDB

https://exchange.xforce.ibmcloud.com/vulnerabilities/73573

vdb-entryx_refsource_XF

Timeline

Vulnerability published
Sep 17, 2014
Vulnerability Reserved
Feb 28, 2012