cvelistv5 - cve-2014-3428

cve-2014-3428

Vulnerability from cvelistv5

Published

2014-06-16 18:00

Modified

2024-08-06 10:43

Severity ?

Summary

Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet.

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html	Exploit
cve@mitre.org	http://seclists.org/fulldisclosure/2014/Jun/74
cve@mitre.org	http://www.securityfocus.com/archive/1/532410/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/68023	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2014/Jun/74
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/532410/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/68023	Exploit

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T10:43:05.970Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "68023",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/68023"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"
          },
          {
            "name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2014/Jun/74"
          },
          {
            "name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-06-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "68023",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/68023"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"
        },
        {
          "name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2014/Jun/74"
        },
        {
          "name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-3428",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "68023",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/68023"
            },
            {
              "name": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"
            },
            {
              "name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2014/Jun/74"
            },
            {
              "name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2014-3428",
    "datePublished": "2014-06-16T18:00:00",
    "dateReserved": "2014-05-07T00:00:00",
    "dateUpdated": "2024-08-06T10:43:05.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-3428\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2014-06-16T18:55:09.010\",\"lastModified\":\"2024-11-21T02:08:04.537\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de XSS en Yealink VoIP Phones con firmware 28.72.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro model en servlet.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:yealink:voip_phone_firmware:28.72.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C65065E6-9314-44A0-B210-A10C176D8BA8\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:yealink:voip_phone:28.2.0.128.0.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"48E0D8D9-F6F6-44C3-98F3-6A025DA31129\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"http://seclists.org/fulldisclosure/2014/Jun/74\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/532410/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/68023\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://seclists.org/fulldisclosure/2014/Jun/74\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/532410/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/68023\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]}]}}"
  }
}

gsd-2014-3428

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet.

Aliases

CVE-2014-3428

Aliases

CVE-2014-3428

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-3428",
    "description": "Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet.",
    "id": "GSD-2014-3428",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2014-3428"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-3428"
      ],
      "details": "Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet.",
      "id": "GSD-2014-3428",
      "modified": "2023-12-13T01:22:53.845087Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2014-3428",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "68023",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/68023"
          },
          {
            "name": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"
          },
          {
            "name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2014/Jun/74"
          },
          {
            "name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:yealink:voip_phone_firmware:28.72.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:yealink:voip_phone:28.2.0.128.0.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-3428"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "68023",
              "refsource": "BID",
              "tags": [
                "Exploit"
              ],
              "url": "http://www.securityfocus.com/bid/68023"
            },
            {
              "name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones",
              "refsource": "FULLDISC",
              "tags": [],
              "url": "http://seclists.org/fulldisclosure/2014/Jun/74"
            },
            {
              "name": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html",
              "refsource": "MISC",
              "tags": [
                "Exploit"
              ],
              "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"
            },
            {
              "name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2018-10-09T19:43Z",
      "publishedDate": "2014-06-16T18:55Z"
    }
  }
}

ghsa-f334-mrv2-rrrr

Vulnerability from github

Published

2022-05-14 02:52

Modified

2022-05-14 02:52

Details

Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-3428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-06-16T18:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet.",
  "id": "GHSA-f334-mrv2-rrrr",
  "modified": "2022-05-14T02:52:42Z",
  "published": "2022-05-14T02:52:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3428"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2014/Jun/74"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/68023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Yealink VoIP Phones firmware 28.72.0.2 and hardware 28.2.0.128.0.0.0 are vulnerable; other versions may also be affected. Yealink VoIP P are IP phone products of China YeaLink Company. The product supports caller avatar display, call recording and anonymous calling, etc. I. ADVISORY

CVE-2014-3427 CRLF Injection in Yealink VoIP Phones CVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones

Date published: 06/12/2014 Vendor Contacted: 05/08/2014

II. BACKGROUND

Yealink is a manufacturer of VoIP and Video products. To minimize noise read more at:

http://www.yealink.com/Companyprofile.aspx

III. DESCRIPTION

There are CRLF Injection and XSS vulnerabilities in Yealink VoIP telephones. Validated on

Firmware Version 28.72.0.2 Hardware Version 28.2.0.128.0.0.0

CRLF Injection (Header Splitting) proof of concept:

Request GET /servlet?linepage=1&model=%0d%0a%20 ANYTHING I WANT GOES HERE &p=dsskey&q=load HTTP/1.1

In the above request, attackers can shove in code, webpages, etc. In my tests, I have used javascript, redirects, and even an entire web page shoved into the CRLF vulnerable inputs.

The XSS vulnerability

GET /servlet?jumpto=dsskey&model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22&p=login&q=loginForm HTTP/1.1

Typical Cross Site Scripting.

IV. SOLUTION

Minimize accessibility to the phone's interface.

V. VENDOR CONTACT AND RESPONSE

05/08/2014 E-mailed security@yealink.com (bounced) 05/08/2014 Created an account on Yealink's forum and sent message (no response for weeks) 05/26/2014 Response via e-mail from Yealink 05/26/2014 Replied to vendor I would disclose in June 06/01/2014 Reached back out to vendor for update 06/08/2014 Reached back out to vendor for update 06/11/2014 Rouched out one last time... Crickets 06/12/2014 Advisory

VI. TOOLS USED

Burpsuite, WVS, Firefox

-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201406-0123",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "voip phone",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "yealink",
        "version": "28.72.0.2"
      },
      {
        "model": "voip phone",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "yealink",
        "version": "28.2.0.128.0.0.0"
      },
      {
        "model": "hardware",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "yealink",
        "version": "28.2.0.128.0.0.0"
      },
      {
        "model": "yealink",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "yealink",
        "version": "28.72.0.2"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "68023"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201406-324"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3428"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/h:yealink:voip_phone",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:yealink:voip_phone_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Jesus Oquendo",
    "sources": [
      {
        "db": "BID",
        "id": "68023"
      },
      {
        "db": "PACKETSTORM",
        "id": "127081"
      }
    ],
    "trust": 0.4
  },
  "cve": "CVE-2014-3428",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CVE-2014-3428",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "VHN-71368",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2014-3428",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2014-3428",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201406-324",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-71368",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-71368"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201406-324"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3428"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet. \nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. \nYealink VoIP Phones firmware 28.72.0.2 and hardware 28.2.0.128.0.0.0 are vulnerable; other versions may also be affected. Yealink VoIP P are IP phone products of China YeaLink Company. The product supports caller avatar display, call recording and anonymous calling, etc. \nI. \tADVISORY\n\nCVE-2014-3427 CRLF Injection in Yealink VoIP Phones\nCVE-2014-3428 XSS vulnerabilities in Yealink VoIP Phones\n\nDate published:\t06/12/2014\nVendor Contacted: 05/08/2014\n\n\nII. \tBACKGROUND\n\nYealink is a manufacturer of VoIP and Video products. To\nminimize noise read more at:\n\nhttp://www.yealink.com/Companyprofile.aspx\n\n\nIII. \tDESCRIPTION\n\nThere are CRLF Injection and XSS vulnerabilities in Yealink\nVoIP telephones. Validated on \n\nFirmware Version        28.72.0.2\nHardware Version        28.2.0.128.0.0.0\n\nCRLF Injection (Header Splitting) proof of concept:\n\nRequest\nGET /servlet?linepage=1\u0026model=%0d%0a%20 ANYTHING I WANT GOES HERE \u0026p=dsskey\u0026q=load HTTP/1.1\n\nIn the above request, attackers can shove in code, webpages,\netc. In my tests, I have used javascript, redirects, and even\nan entire web page shoved into the CRLF vulnerable inputs. \n\n\n-----\n\n\nThe XSS vulnerability\n\nGET /servlet?jumpto=dsskey\u0026model=%22%20onmouseover%3dprompt%28 1337 %29%20badpuppy%3d%22\u0026p=login\u0026q=loginForm HTTP/1.1\n\nTypical Cross Site Scripting. \n\n\nIV. \tSOLUTION\n\nMinimize accessibility to the phone\u0027s interface. \n\n\nV. \tVENDOR CONTACT AND RESPONSE\n\n05/08/2014\tE-mailed security@yealink.com (bounced)\n05/08/2014\tCreated an account on Yealink\u0027s forum and\n\t\tsent message (no response for weeks)\n05/26/2014\tResponse via e-mail from Yealink\n05/26/2014\tReplied to vendor I would disclose in June\n06/01/2014\tReached back out to vendor for update\n06/08/2014\tReached back out to vendor for update\n06/11/2014\tRouched out one last time... Crickets\n06/12/2014\tAdvisory\n\n\nVI. \tTOOLS USED\n\nBurpsuite, WVS, Firefox\n\n\n\n-- \n=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\nJ. Oquendo\nSGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM\n\n\"Where ignorance is our master, there is no possibility of\nreal peace\" - Dalai Lama\n\n42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF\nhttp://pgp.mit.edu:11371/pks/lookup?op=get\u0026search=0x2BF7D83F210A95AF\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2014-3428"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      },
      {
        "db": "BID",
        "id": "68023"
      },
      {
        "db": "VULHUB",
        "id": "VHN-71368"
      },
      {
        "db": "PACKETSTORM",
        "id": "127081"
      }
    ],
    "trust": 2.07
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-71368",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-71368"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2014-3428",
        "trust": 2.9
      },
      {
        "db": "BID",
        "id": "68023",
        "trust": 2.0
      },
      {
        "db": "PACKETSTORM",
        "id": "127081",
        "trust": 1.2
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201406-324",
        "trust": 0.7
      },
      {
        "db": "VULHUB",
        "id": "VHN-71368",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-71368"
      },
      {
        "db": "BID",
        "id": "68023"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      },
      {
        "db": "PACKETSTORM",
        "id": "127081"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201406-324"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3428"
      }
    ]
  },
  "id": "VAR-201406-0123",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-71368"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-11-23T22:59:40.337000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "http://www.yealink.com/index.aspx"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-71368"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3428"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/bid/68023"
      },
      {
        "trust": 1.4,
        "url": "http://www.securityfocus.com/archive/1/archive/1/532410/100/0/threaded"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"
      },
      {
        "trust": 1.1,
        "url": "http://seclists.org/fulldisclosure/2014/jun/74"
      },
      {
        "trust": 1.1,
        "url": "http://packetstormsecurity.com/files/127081/yealink-voip-phones-xss-crlf-injection.html"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3428"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3428"
      },
      {
        "trust": 0.3,
        "url": "www.yealink.com"
      },
      {
        "trust": 0.1,
        "url": "http://www.yealink.com/companyprofile.aspx"
      },
      {
        "trust": 0.1,
        "url": "http://pgp.mit.edu:11371/pks/lookup?op=get\u0026search=0x2bf7d83f210a95af"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3428"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3427"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-71368"
      },
      {
        "db": "BID",
        "id": "68023"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      },
      {
        "db": "PACKETSTORM",
        "id": "127081"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201406-324"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3428"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-71368"
      },
      {
        "db": "BID",
        "id": "68023"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      },
      {
        "db": "PACKETSTORM",
        "id": "127081"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201406-324"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-3428"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2014-06-16T00:00:00",
        "db": "VULHUB",
        "id": "VHN-71368"
      },
      {
        "date": "2014-06-12T00:00:00",
        "db": "BID",
        "id": "68023"
      },
      {
        "date": "2014-06-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      },
      {
        "date": "2014-06-13T00:12:49",
        "db": "PACKETSTORM",
        "id": "127081"
      },
      {
        "date": "2014-06-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201406-324"
      },
      {
        "date": "2014-06-16T18:55:09.010000",
        "db": "NVD",
        "id": "CVE-2014-3428"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-10-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-71368"
      },
      {
        "date": "2014-06-12T00:00:00",
        "db": "BID",
        "id": "68023"
      },
      {
        "date": "2014-06-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      },
      {
        "date": "2014-06-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201406-324"
      },
      {
        "date": "2024-11-21T02:08:04.537000",
        "db": "NVD",
        "id": "CVE-2014-3428"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201406-324"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Yealink VoIP Phone Firmware cross-site scripting vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-002944"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "xss",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "127081"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201406-324"
      }
    ],
    "trust": 0.7
  }
}

fkie_cve-2014-3428

Vulnerability from fkie_nvd

Published

2014-06-16 18:55

Modified

2024-11-21 02:08

Severity ?

Summary

Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet.

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html	Exploit
cve@mitre.org	http://seclists.org/fulldisclosure/2014/Jun/74
cve@mitre.org	http://www.securityfocus.com/archive/1/532410/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/68023	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2014/Jun/74
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/532410/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/68023	Exploit

Impacted products

	Vendor	Product	Version
	yealink	voip_phone_firmware	28.72.0.2
	yealink	voip_phone	28.2.0.128.0.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:yealink:voip_phone_firmware:28.72.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "C65065E6-9314-44A0-B210-A10C176D8BA8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:yealink:voip_phone:28.2.0.128.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "48E0D8D9-F6F6-44C3-98F3-6A025DA31129",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary web script or HTML via the model parameter to servlet."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de XSS en Yealink VoIP Phones con firmware 28.72.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro model en servlet."
    }
  ],
  "id": "CVE-2014-3428",
  "lastModified": "2024-11-21T02:08:04.537",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-06-16T18:55:09.010",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://seclists.org/fulldisclosure/2014/Jun/74"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.securityfocus.com/bid/68023"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/fulldisclosure/2014/Jun/74"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.securityfocus.com/bid/68023"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2014-3428

Vulnerability from cvelistv5

gsd-2014-3428

Vulnerability from gsd

ghsa-f334-mrv2-rrrr

Vulnerability from github

var-201406-0123

Vulnerability from variot

fkie_cve-2014-3428

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature