Cross-Site Scripting Vulnerability in Yealink VoIP Phones
CVE-2014-3428

Currently unrated

Key Information:

Vendor: Yealink
Status: Voip Phone Firmware; Voip Phone
Vendor: CVE Published:; 16 June 2014

What is CVE-2014-3428?

Yealink VoIP Phones running firmware version 28.72.0.2 are susceptible to a cross-site scripting vulnerability that enables remote attackers to execute arbitrary web scripts or HTML. This weakness arises from improper validation of input in the model parameter to the servlet, allowing unauthorized entities to manipulate the device's web interface, potentially leading to further exploits.

References

http://www.securityfocus.com/bid/68023

vdb-entryx_refsource_BID

http://packetstormsecurity.com/files/127081/Yealink-VoIP-...

x_refsource_MISC

http://seclists.org/fulldisclosure/2014/Jun/74

mailing-listx_refsource_FULLDISC

Timeline

Vulnerability published
Jun 16, 2014
Vulnerability Reserved
May 7, 2014