CVE-2012-1417 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Yealink	Ultra-elegant Ip Phone Sip-t42g Ultra-elegant Ip Phone Sip-t46g Ip Phone Sip-t26p Ip Phone Sip-t21p Ultra-elegant Ip Phone Sip-t48g Gigabit Color Ip Phone Sip-t38g Ip Phone Sip-t28p Ip Phone Sip-t20p Ultra-elegant Ip Phone Sip-t41p Ip Video Phone Vp530 W52p Ip Phone Sip-t22p Gigabit Color Ip Phone Sip-t32g Ip Phone Sip-t19p

Configuration 1 [-]

OR	cpe:2.3:h:yealink:gigabit_color_ip_phone_sip-t32g:-:::::::*
	cpe:2.3:h:yealink:gigabit_color_ip_phone_sip-t38g:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t19p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t20p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t21p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t22p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t26p:-:::::::*
	cpe:2.3:h:yealink:ip_phone_sip-t28p:-:::::::*
	cpe:2.3:h:yealink:ip_video_phone_vp530:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t41p:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t42g:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t46g:-:::::::*
	cpe:2.3:h:yealink:ultra-elegant_ip_phone_sip-t48g:-:::::::*
	cpe:2.3:h:yealink:w52p:-:::::::*

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2012-03/0056.html
http://packetstormsecurity.org/files/110320/yealink-xss.txt	Exploit
http://secunia.com/advisories/48194
http://www.exploit-db.com/exploits/18540	Exploit
http://www.osvdb.org/79675
http://www.securityfocus.com/bid/52209
https://exchange.xforce.ibmcloud.com/vulnerabilities/73573