Cccll

**Name of the Vulnerable Software and Affected Versions** Yealink MeetingBar A30 version 133.321.0.3 **Description** A weakness exists in the Diagnostic Handler component that allows for command injection. The attack can be performed on the physical device. The exploit is publicly available. The vendor was contacted but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Yealink SIP-T21P E2 version 52.84.0.15 **Description** A flaw exists in the Local Directory Page component of the software that allows for cross-site scripting. The issue can be triggered remotely. The exploit is publicly available. The vendor was informed of the issue but did not provide a response. This vulnerability affects products that are no longer supported. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Grandstream GXP1625 version 1.0.7.4 **Description** A security flaw exists in Grandstream GXP1625 version 1.0.7.4. The issue is related to basic cross site scripting, which can be triggered by manipulating the `vpn ip` argument within an unknown function of the file `/cgi-bin/api.values.post` of the Network Status Page component. Remote exploitation is possible. The exploit has been released publicly. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `/cgi-bin/api.values.post` file to minimize the risk of exploitation.