Path Traversal Vulnerability in Yealink Ultra-elegant IP Phone SIP-T41P
CVE-2018-16221

8HIGH

Key Information:

Vendor: Yealink
Status: Ultra-elegant Ip Phone Sip-t41p Firmware
Vendor: CVE Published:; 29 May 2019

What is CVE-2018-16221?

The diagnostics web interface of the Yealink Ultra-elegant IP Phone SIP-T41P (firmware 66.83.0.35) is susceptible to a path traversal vulnerability. This weakness arises from the system's inability to properly validate and escape path information, enabling an authenticated remote attacker to access sensitive files, including potentially critical system files like /etc/passwd, through crafted POST requests.

References

https://www.sit.fraunhofer.de/de/securitytestlab/

x_refsource_MISC

https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Adv...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 29, 2019
Vulnerability Reserved
Aug 30, 2018