Description
CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Jesus Oquendo · textwebappsjava
https://www.exploit-db.com/exploits/39334
References (3)
Core 3
Core References
Exploit x_refsource_misc
http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Jun/74
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/532410/100/0/threaded
Scores
EPSS
0.0350
EPSS Percentile
87.7%
Details
Status
published
Products (1)
yealink/voip_phone_firmware
28.72.0.2
Published
Jul 16, 2014
Tracked Since
Feb 18, 2026