{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-08T12:01:20", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://cerebusforensics.com/yealink/exploit.html"}, {"tags": ["x_refsource_MISC"], "url": "https://sway.office.com/3pCb559LYVuT0eig"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14656", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://cerebusforensics.com/yealink/exploit.html", "refsource": "MISC", "url": "http://cerebusforensics.com/yealink/exploit.html"}, {"name": "https://sway.office.com/3pCb559LYVuT0eig", "refsource": "MISC", "url": "https://sway.office.com/3pCb559LYVuT0eig"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14656", "datePublished": "2019-10-08T12:01:20", "dateReserved": "2019-08-04T00:00:00", "dateUpdated": "2019-10-08T12:01:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:yeahlink:vp59_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A416A5F5-E7E8-4D54-8BD7-F9DACC7D2AB9", "versionEndIncluding": "2019-08-04", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:yeahlink:vp59:-:*:*:*:*:*:*:*", "matchCriteriaId": "E2009943-3A1D-4129-A5D8-5F942D760537", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:yeahlink:t49g_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BFE86FC-8AEA-4A0B-9D4A-1470DDABFDA2", "versionEndIncluding": "2019-08-04", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:yeahlink:t49g:-:*:*:*:*:*:*:*", "matchCriteriaId": "B30F986B-FB81-4D5A-BC12-479C473E0508", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:yeahlink:t58v_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BC06E8A-65CE-4E77-B427-966EF5FFFE08", "versionEndIncluding": "2019-08-04", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:yeahlink:t58v:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2A7C6A9-D47D-402B-8C85-C403A593CF92", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP."}, {"lang": "es", "value": "Los tel\u00e9fonos Yealink hasta el 04-08-2019, no comprueban apropiadamente los roles de los usuarios en las peticiones POST. En consecuencia, la cuenta User predeterminada (con una contrase\u00f1a de usuario) puede realizar peticiones de administrador por medio de HTTP."}], "id": "CVE-2019-14656", "lastModified": "2019-10-17T18:51:56.280", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-08T13:15:15.237", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://cerebusforensics.com/yealink/exploit.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sway.office.com/3pCb559LYVuT0eig"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}