Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
References
Link | Resource |
---|---|
https://ssd-disclosure.com/?p=4688 | Third Party Advisory |
Configurations
History
08 Aug 2023, 14:21
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-78 |
Information
Published : 2021-10-15 18:15
Updated : 2024-02-28 18:48
NVD link : CVE-2021-27561
Mitre link : CVE-2021-27561
CVE.ORG link : CVE-2021-27561
JSON object : View
Products Affected
yealink
- device_management
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')