CVE-2012-1417

Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/52209
http://www.osvdb.org/79675
http://www.exploit-db.com/exploits/18540	Exploit
http://packetstormsecurity.org/files/110320/yealink-xss.txt	Exploit
http://secunia.com/advisories/48194
http://archives.neohapsis.com/archives/bugtraq/2012-03/0056.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/73573

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:h:yealink:gigabit_color_ip_phone_sip-t32g:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t28p:-:::::::*
	cpe:2.3:h:yealink:w52p:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t41p:-:::::::*
	cpe:2.3:h:yealink:gigabit_color_ip_phone_sip-t38g:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t19p:-:::::::*
	cpe:2.3:h:yealink:ip_video_phone_vp530:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t46g:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t42g:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t21p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t20p:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t48g:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t22p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t26p:-:::::::*

Information

Published : 2014-09-17 07:55

Updated : 2017-08-28 18:31

NVD link : CVE-2012-1417

Mitre link : CVE-2012-1417

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advertisement

Products Affected

yealink

ultra-elegant_ip_phone_sip-t42g
ip_phone_sip-t20p
gigabit_color_ip_phone_sip-t32g
ip_phone_sip-t22p
ultra-elegant_ip_phone_sip-t41p
ultra-elegant_ip_phone_sip-t48g
ip_phone_sip-t19p
ip_phone_sip-t21p
ip_video_phone_vp530
gigabit_color_ip_phone_sip-t38g
w52p
ip_phone_sip-t26p
ip_phone_sip-t28p
ultra-elegant_ip_phone_sip-t46g

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/52209", "name": "52209", "tags": [], "refsource": "BID"}, {"url": "http://www.osvdb.org/79675", "name": "79675", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.exploit-db.com/exploits/18540", "name": "18540", "tags": ["Exploit"], "refsource": "EXPLOIT-DB"}, {"url": "http://packetstormsecurity.org/files/110320/yealink-xss.txt", "name": "http://packetstormsecurity.org/files/110320/yealink-xss.txt", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://secunia.com/advisories/48194", "name": "48194", "tags": [], "refsource": "SECUNIA"}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0056.html", "name": "20120313 Yealink VOIP Phone Persistent Cross Site Scripting Vulnerability [CVE-2012-1417]", "tags": [], "refsource": "BUGTRAQ"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73573", "name": "yealinkvoipphone-multiple-xss(73573)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2012-1417", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2014-09-17T14:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:yealink:gigabit_color_ip_phone_sip-t32g:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ip_phone_sip-t28p:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:w52p:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t41p:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:gigabit_color_ip_phone_sip-t38g:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ip_phone_sip-t19p:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ip_video_phone_vp530:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t46g:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t42g:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ip_phone_sip-t21p:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ip_phone_sip-t20p:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t48g:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ip_phone_sip-t22p:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:h:yealink:ip_phone_sip-t26p:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-29T01:31Z"}