CRLF Injection Vulnerability in Yealink VoIP Phones
CVE-2014-3427

Currently unrated

Key Information:

Vendor: Yealink
Status: Voip Phone Firmware
Vendor: CVE Published:; 16 July 2014

What is CVE-2014-3427?

The CRLF injection vulnerability in Yealink VoIP Phones with firmware version 28.72.0.2 enables remote attackers to manipulate HTTP headers by injecting malicious input through the model parameter directed at the servlet. This exploitation can lead to HTTP response splitting attacks, allowing unauthorized command execution and potential redirection of unsuspecting users, which poses a significant security risk for users of the affected devices.

References

http://packetstormsecurity.com/files/127081/Yealink-VoIP-...

x_refsource_MISC

http://seclists.org/fulldisclosure/2014/Jun/74

mailing-listx_refsource_FULLDISC

http://www.securityfocus.com/archive/1/532410/100/0/threaded

mailing-listx_refsource_BUGTRAQ

Timeline

Vulnerability published
Jul 16, 2014
Vulnerability Reserved
May 7, 2014