OSVDB ID: 79675

Title: Yealink VOIP Phone Contacts Page /cgi-bin/ConfigManApp.com name Field XSS

Info

Disclosure

Mar 01, 2012

Discovery

Unknown

Dates

Exploit

Feb 29, 2012

Solution

Unknown

Description

Yealink VOIP Phone contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the name field upon submission to /cgi-bin/ConfigManApp.com when creating a contact. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure
OSVDB: Authentication Required, Web Related, Voice over IP

Solution

OSVDB is not aware of a solution for this vulnerability.

Products

YEALINK NETWORK TECHNOLOGY CO., LTD.

Yealink VOIP Phone

Unspecified

References

Exploit Database: 18540
CVE ID: 2012-1417 (see also: NVD)
Secunia Advisory ID: 48194
Bugtraq ID: 52209
Packet Storm: http://packetstormsecurity.org/files/110320/yealink-xss.txt

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/79675