CVE-2019-14656

Опубликовано: 08 окт. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 9

EPSS Низкий

Описание

Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP.

Ссылки

http://cerebusforensics.com/yealink/exploit.html
Exploit
Third Party Advisory
https://sway.office.com/3pCb559LYVuT0eig
Exploit
Third Party Advisory
http://cerebusforensics.com/yealink/exploit.html
Exploit
Third Party Advisory
https://sway.office.com/3pCb559LYVuT0eig
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:yeahlink:vp59_firmware:*:*:*:*:*:*:*:*

Версия до 2019-08-04 (включая)

cpe:2.3:h:yeahlink:vp59:-:*:*:*:*:*:*:*

Конфигурация 2

Одновременно

cpe:2.3:o:yeahlink:t49g_firmware:*:*:*:*:*:*:*:*

Версия до 2019-08-04 (включая)

cpe:2.3:h:yeahlink:t49g:-:*:*:*:*:*:*:*

Конфигурация 3

Одновременно

cpe:2.3:o:yeahlink:t58v_firmware:*:*:*:*:*:*:*:*

Версия до 2019-08-04 (включая)

cpe:2.3:h:yeahlink:t58v:-:*:*:*:*:*:*:*

EPSS

Процентиль: 62%

0.00427

Низкий

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-22wm-vgh4-2j44

CVSS3: 8.8

github

больше 3 лет назад

Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP.

EPSS

Процентиль: 62%

0.00427

Низкий

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-434