Description
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.
Exploits (1)
exploitdb
WRITEUP
by Narendra Shinde · textwebappshardware
https://www.exploit-db.com/exploits/18540
References (7)
Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/52209
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/79675
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/73573
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/48194
Exploit x_refsource_misc
http://packetstormsecurity.org/files/110320/yealink-xss.txt
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-03/0056.html
Exploit exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/18540
Scores
EPSS
0.0093
EPSS Percentile
76.2%
Details
CWE
CWE-79
Status
published
Products (14)
yealink/gigabit_color_ip_phone_sip-t32g
yealink/gigabit_color_ip_phone_sip-t38g
yealink/ip_phone_sip-t19p
yealink/ip_phone_sip-t20p
yealink/ip_phone_sip-t21p
yealink/ip_phone_sip-t22p
yealink/ip_phone_sip-t26p
yealink/ip_phone_sip-t28p
yealink/ip_video_phone_vp530
yealink/ultra-elegant_ip_phone_sip-t41p
... and 4 more
Published
Sep 17, 2014
Tracked Since
Feb 18, 2026