Stefan Gloor

Name of the Vulnerable Software and Affected Versions: Yealink YMCS RPS API versions prior to 2025-05-26 Description: The issue is related to the lack of rate limiting in the Yealink YMCS RPS API, which could potentially enable information disclosure via excessive requests. Recommendations: For versions prior to 2025-05-26, consider implementing rate limiting on the API to prevent excessive requests until a patch is available.

Name of the Vulnerable Software and Affected Versions: Yealink YMCS versions prior to 2025-05-26 Description: The issue allows unauthorized access to deactivated interfaces due to the lack of prevention of OpenAPI access by frozen enterprise accounts. Recommendations: For Yealink YMCS versions prior to 2025-05-26, consider restricting access to OpenAPI until a fix is applied to prevent unauthorized access by frozen enterprise accounts.

Name of the Vulnerable Software and Affected Versions: Yealink YMCS RPS versions prior to 2025-05-26 Description: The certificate upload function in Yealink YMCS RPS does not properly validate certificate content, potentially allowing invalid certificates to be uploaded. Recommendations: For versions prior to 2025-05-26, update to a version released after 2025-05-26 to ensure proper validation of certificate content.

Name of the Vulnerable Software and Affected Versions: Yealink YMCS RPS versions prior to 2025-06-04 Description: The issue is related to the lack of SN verification attempt limits, which enables brute-force enumeration of the last five digits. Recommendations: For versions prior to 2025-06-04, update to a version released after 2025-06-04 to include SN verification attempt limits and prevent brute-force enumeration.