OpenCVE

CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Yealink	Voip Phone Firmware

Configuration 1 [-]

cpe:2.3:o:yealink:voip_phone_firmware:28.72.0.2:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html
http://seclists.org/fulldisclosure/2014/Jun/74
http://www.securityfocus.com/archive/1/532410/100/0/threaded

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-07-16T14:00:00

Updated: 2024-08-06T10:43:05.834Z

Reserved: 2014-05-07T00:00:00

Link: CVE-2014-3427

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-07-16T14:19:02.997

Modified: 2024-11-21T02:08:04.393

Link: CVE-2014-3427

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-06-12T00:00:00", "descriptions": [{"lang": "en", "value": "CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"}, {"name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Jun/74"}, {"name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-3427", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"}, {"name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Jun/74"}, {"name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:43:05.834Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"}, {"name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2014/Jun/74"}, {"name": "20140612 CVE-2014-3427 CRLF Injection and CVE-2014-3428 XSS Injection in Yealink VoIP Phones", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-3427", "datePublished": "2014-07-16T14:00:00", "dateReserved": "2014-05-07T00:00:00", "dateUpdated": "2024-08-06T10:43:05.834Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:yealink:voip_phone_firmware:28.72.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "C65065E6-9314-44A0-B210-A10C176D8BA8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n CRLF en Yealink VoIP Phones con firmware 28.72.0.2 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y realizar ataques de divisi\u00f3n de respuesta HTTP a trav\u00e9s del par\u00e1metro model en servlet."}], "evaluatorComment": "<a href=\"https://cwe.mitre.org/data/definitions/93.html\">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a>", "id": "CVE-2014-3427", "lastModified": "2024-11-21T02:08:04.393", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-07-16T14:19:02.997", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Jun/74"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/127081/Yealink-VoIP-Phones-XSS-CRLF-Injection.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Jun/74"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/532410/100/0/threaded"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}