Vulnerability Description
Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yeahlink | Vp59 Firmware | <= 2019-08-04 |
| Yeahlink | Vp59 | - |
| Yeahlink | T49G Firmware | <= 2019-08-04 |
| Yeahlink | T49G | - |
| Yeahlink | T58V Firmware | <= 2019-08-04 |
| Yeahlink | T58V | - |
Related Weaknesses (CWE)
References
- http://cerebusforensics.com/yealink/exploit.htmlExploitThird Party Advisory
- https://sway.office.com/3pCb559LYVuT0eigExploitThird Party Advisory
- http://cerebusforensics.com/yealink/exploit.htmlExploitThird Party Advisory
- https://sway.office.com/3pCb559LYVuT0eigExploitThird Party Advisory
FAQ
What is CVE-2019-14656?
CVE-2019-14656 is a vulnerability with a CVSS score of 8.8 (HIGH). Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP.
How severe is CVE-2019-14656?
CVE-2019-14656 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-14656?
Check the references section above for vendor advisories and patch information. Affected products include: Yeahlink Vp59 Firmware, Yeahlink Vp59, Yeahlink T49G Firmware, Yeahlink T49G, Yeahlink T58V Firmware.