CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-48353
https://notcve.org/view.php?id=CVE-2024-48353
01 Nov 2024 — Yealink Meeting Server before V26.0.0.67 allows attackers to obtain static key information from a front-end JS file and decrypt the plaintext passwords based on the obtained key information. • http://yealink.com • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-48352
https://notcve.org/view.php?id=CVE-2024-48352
01 Nov 2024 — Yealink Meeting Server before V26.0.0.67 is vulnerable to sensitive data exposure in the server response via sending HTTP request with enterprise ID. • http://yealink.com • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-33109
https://notcve.org/view.php?id=CVE-2024-33109
19 Sep 2024 — Directory Traversal in the web interface of the Tiptel IP 286 with firmware version 2.61.13.10 allows attackers to overwrite arbitrary files on the phone via the Ringtone upload function. • http://tiptel.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31747
https://notcve.org/view.php?id=CVE-2024-31747
29 Apr 2024 — An issue in Yealink VP59 Microsoft Teams Phone firmware 91.15.0.118 (fixed in 122.15.0.142) allows a physically proximate attacker to disable the phone lock via the Walkie Talkie menu option. Un problema en Yealink VP59 Microsoft Teams Phone firmware 91.15.0.118 (fixed in 122.15.0.142) permite a un atacante físicamente cercano desactivar el bloqueo del teléfono a través de la opción del menú Walkie Talkie. • https://medium.com/%40deepsahu1/yealink-vp59-microsoft-teams-phone-lock-bypass-b7fee9dd9c8c •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28442
https://notcve.org/view.php?id=CVE-2024-28442
26 Mar 2024 — Directory Traversal vulnerability in Yealink VP59 v.91.15.0.118 allows a physically proximate attacker to obtain sensitive information via terms of use function in the company portal component. La vulnerabilidad de Directory Traversal en Yealink VP59 v.91.15.0.118 permite a un atacante físicamente cercano obtener información confidencial a través de la función de términos de uso en el componente del portal de la empresa. • https://medium.com/%40deepsahu1/cve-2024-28442-yealink-ip-phone-webview-escape-leads-to-sensitive-file-disclosure-via-directory-686ef8f80227 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-48625
https://notcve.org/view.php?id=CVE-2022-48625
19 Feb 2024 — Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary. Yealink Config Encrypt Tool agrega RSA anterior a 1.2 tiene un par de claves RSA incorporado y, por lo tanto, existe el riesgo de que un adversario lo descifre. • https://www.yealink.com/en/trust-center/security-advisories/yealink-config-encrypt-tool-hardcoded-encryption-password-vulnerability • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24091
https://notcve.org/view.php?id=CVE-2024-24091
08 Feb 2024 — Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface. Se descubrió que Yealink Meeting Server anterior a v26.0.0.66 contenía una vulnerabilidad de inyección de comandos del sistema operativo a través de la interfaz de carga de archivos. • https://www.yealink.com/en/trust-center/security-advisories/2f2b990211c440cf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 5%CPEs: 2EXPL: 1CVE-2023-43959
https://notcve.org/view.php?id=CVE-2023-43959
17 Oct 2023 — An issue in YeaLinkSIP-T19P-E2 v.53.84.0.15 allows a remote privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component. Un problema en YeaLinkSIP-T19P-E2 v.53.84.0.15 permite a un atacante remoto con privilegios ejecutar código arbitrario a través de una solicitud manipulada para la función ping del componente diagnostic. • https://hackmd.io/%40tahaafarooq/auth_rce_voip • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-24113
https://notcve.org/view.php?id=CVE-2020-24113
22 Aug 2023 — Directory Traversal vulnerability in Contacts File Upload Interface in Yealink W60B version 77.83.0.85, allows attackers to gain sensitive information and cause a denial of service (DoS). • https://fuo.fi/CVE-2020-24113 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 97%CPEs: 1EXPL: 0CVE-2021-27561 – Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2021-27561
15 Oct 2021 — Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication. Yealink Device Management (DM) 3.6.0.20 permite la inyección de comandos como root por medio del URI /sm/api/v1/firewall/zone/services, sin autenticación. Yealink Device Management contains a server-side request forgery (SSRF) vulnerability that allows for unauthenticated remote code execution. • https://ssd-disclosure.com/?p=4688 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •