PT-2019-13761 · Yealink · Yealink Phones
Published
2019-10-08
·
Updated
2019-10-17
·
CVE-2019-14656
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Yealink phones versions prior to 2019-08-04
Description
The issue concerns improper checking of user roles in POST requests. This allows the default User account, which has a password of
user, to make admin requests via HTTP.Recommendations
For Yealink phones versions prior to 2019-08-04, consider restricting access to admin requests until a proper fix is applied. As a temporary workaround, changing the default User account password from
user to a stronger one may help minimize the risk of exploitation.Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Yealink Phones