CVE-2012-1417

Yealink VOIP Phones - Authenticated Stored Cross-Site Scripting via User Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-1417. PoCs published by Narendra Shinde.

AI-analyzed exploit summary This is a security advisory detailing a persistent cross-site scripting (XSS) vulnerability in Yealink VOIP Phone. The vulnerability allows attackers to inject malicious scripts via the 'name' field in the Local Phone book and Blacklist form, affecting both normal and admin users.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

Exploits (1)

exploitdb WRITEUP

by Narendra Shinde · textwebappshardware

https://www.exploit-db.com/exploits/18540

View Code ZIP pw:eip

This is a security advisory detailing a persistent cross-site scripting (XSS) vulnerability in Yealink VOIP Phone. The vulnerability allows attackers to inject malicious scripts via the 'name' field in the Local Phone book and Blacklist form, affecting both normal and admin users.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Yealink Easy VOIP Phone

Auth required

Prerequisites: Access to the device's web interface · Valid credentials (default: user:user)

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/52209

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/79675

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/73573

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48194

Exploit x_refsource_misc

http://packetstormsecurity.org/files/110320/yealink-xss.txt

Third Party Advisory mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2012-03/0056.html

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/18540

Scores

EPSS 0.0173

EPSS Percentile 74.7%

Details

CWE

CWE-79

Status published

Products (14)

yealink/gigabit_color_ip_phone_sip-t32g

yealink/gigabit_color_ip_phone_sip-t38g

yealink/ip_phone_sip-t19p

yealink/ip_phone_sip-t20p

yealink/ip_phone_sip-t21p

yealink/ip_phone_sip-t22p

yealink/ip_phone_sip-t26p

yealink/ip_phone_sip-t28p

yealink/ip_video_phone_vp530

yealink/ultra-elegant_ip_phone_sip-t41p

... and 4 more

Published Sep 17, 2014

Tracked Since Feb 18, 2026