Vulnerabilities > CVE-2014-3427 - Unspecified vulnerability in Yealink Voip Phone Firmware 28.72.0.2

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
yealink
exploit available
NVD
Published: 2014-07-16
Updated: 2018-10-09

Summary

CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet. <a href="https://cwe.mitre.org/data/definitions/93.html">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a>

Vulnerable Configurations

Part Description Count
OS
Yealink
1

Exploit-Db

descriptionYealink VoIP Phones '/servlet' HTTP Response Splitting Vulnerability. CVE-2014-3427. Webapps exploit for java platform
idEDB-ID:39334
last seen2016-02-04
modified2014-06-12
published2014-06-12
reporterJesus Oquendo
sourcehttps://www.exploit-db.com/download/39334/
titleYealink VoIP Phones '/servlet' HTTP Response Splitting Vulnerability

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/127081/yealink-crlfxss.txt
idPACKETSTORM:127081
last seen2016-12-05
published2014-06-13
reporterJesus Oquendo
sourcehttps://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html
titleYealink VoIP Phones XSS / CRLF Injection

References