CVE-2012-1417

Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2012-03/0056.html
http://packetstormsecurity.org/files/110320/yealink-xss.txt	Exploit
http://secunia.com/advisories/48194
http://www.exploit-db.com/exploits/18540	Exploit
http://www.osvdb.org/79675
http://www.securityfocus.com/bid/52209
https://exchange.xforce.ibmcloud.com/vulnerabilities/73573

Configurations

Configuration 1 (hide)

OR	cpe:2.3:h:yealink:gigabit_color_ip_phone_sip-t32g:-:::::::*
	cpe:2.3:h:yealink:gigabit_color_ip_phone_sip-t38g:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t19p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t20p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t21p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t22p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t26p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t28p:-:::::::*
	cpe:2.3:h:yealink:ip_video_phone_vp530:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t41p:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t42g:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t46g:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t48g:-:::::::*
	cpe:2.3:h:yealink:w52p:-:::::::*

History

No history.

Information

Published : 2014-09-17 14:55

Updated : 2024-02-28 12:20

NVD link : CVE-2012-1417

Mitre link : CVE-2012-1417

CVE.ORG link : CVE-2012-1417

JSON object : View

Products Affected

yealink

ip_phone_sip-t28p
ultra-elegant_ip_phone_sip-t48g
ip_video_phone_vp530
w52p
ultra-elegant_ip_phone_sip-t41p
gigabit_color_ip_phone_sip-t32g
ip_phone_sip-t21p
gigabit_color_ip_phone_sip-t38g
ip_phone_sip-t20p
ip_phone_sip-t19p
ultra-elegant_ip_phone_sip-t42g
ip_phone_sip-t22p
ultra-elegant_ip_phone_sip-t46g
ip_phone_sip-t26p

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2012-1417", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2014-09-17T14:55:02.963", "references": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0056.html", "source": "cve@mitre.org"}, {"url": "http://packetstormsecurity.org/files/110320/yealink-xss.txt", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/48194", "source": "cve@mitre.org"}, {"url": "http://www.exploit-db.com/exploits/18540", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.osvdb.org/79675", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/52209", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73573", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en Local Phone book y Blacklist en Yealink VOIP Phones permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del campo 'user' hacia cgi-bin/ConfigManApp.com."}], "lastModified": "2017-08-29T01:31:16.820", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:yealink:gigabit_color_ip_phone_sip-t32g:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8274CC4-391F-49B2-BA1C-82F54DE4A5D9"}, {"criteria": "cpe:2.3:h:yealink:gigabit_color_ip_phone_sip-t38g:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6ED3BACB-4AE6-4D53-B058-6FF1C7634F1D"}, {"criteria": "cpe:2.3:h:yealink:ip_phone_sip-t19p:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4BF3E795-BF27-48D9-8737-CDA86FB580B1"}, {"criteria": "cpe:2.3:h:yealink:ip_phone_sip-t20p:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C593189-C2E8-44FD-9EE2-5E3DECF0A763"}, {"criteria": "cpe:2.3:h:yealink:ip_phone_sip-t21p:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C09377BF-BB8F-44CD-BD47-3B381DC5CF5F"}, {"criteria": "cpe:2.3:h:yealink:ip_phone_sip-t22p:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51EE4155-F0DE-4DB2-8E9F-ED316D241176"}, {"criteria": "cpe:2.3:h:yealink:ip_phone_sip-t26p:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C67D703-166F-4D26-9FF2-02133926B65F"}, {"criteria": "cpe:2.3:h:yealink:ip_phone_sip-t28p:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0EA7DD45-BF4E-4F8B-858F-4AA16934F4B9"}, {"criteria": "cpe:2.3:h:yealink:ip_video_phone_vp530:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16B6BDE8-846A-41D9-9F3F-E30635D41B6F"}, {"criteria": "cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t41p:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B78A770C-A9FC-4900-AA3C-72F41745CE2A"}, {"criteria": "cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t42g:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6FF97DC-B477-4A58-8D23-59DD9D64C9B3"}, {"criteria": "cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t46g:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79D78818-02DE-4BF6-8AE3-490005329407"}, {"criteria": "cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t48g:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76ED7CFC-CFE7-41DB-B716-2F1F88478EFF"}, {"criteria": "cpe:2.3:h:yealink:w52p:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "613FA44A-0147-4AB5-83E8-9CDB906CCED2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}