CVE-2013-5757

Name of the Vulnerable Software and Affected Versions Yealink VoIP Phone SIP-T38G version (affected versions not specified)

Description The issue concerns an absolute path traversal vulnerability. It allows remote authenticated users to read arbitrary files by providing a full pathname in the dumpConfigFile function, which is accessible through the command parameter to the "cgi-bin/cgiServer.exx" endpoint.

Recommendations For Yealink VoIP Phone SIP-T38G, as a temporary workaround, consider restricting access to the dumpConfigFile function until a patch is available. Avoid using the command parameter in the "cgi-bin/cgiServer.exx" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.