PT-2019-13761 · Yealink · Yealink Phones
Publicado
2019-10-08
·
Atualizado
2019-10-17
·
CVE-2019-14656
CVSS v2.0
9.0
Alta
| Vetor | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Yealink phones versions prior to 2019-08-04
Description
The issue concerns improper checking of user roles in POST requests. This allows the default User account, which has a password of
user, to make admin requests via HTTP.Recommendations
For Yealink phones versions prior to 2019-08-04, consider restricting access to admin requests until a proper fix is applied. As a temporary workaround, changing the default User account password from
user to a stronger one may help minimize the risk of exploitation.Exploit
Correção
Unrestricted File Upload
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Yealink Phones