CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2019-14657

Yealink phones through 2019-08-04 have an issue with OpenVPN file upload. They execute tar as root to extract files, but do not validate the extraction directory. Creating a tar file with ../../../../ allows replacement of almost any file on a phone. This leads to password replacement and arbitrary code execution as root.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.019

EPSS Ranking 82.5%

CVSS Severity

CVSS v3 Score 8.8

CVSS v2 Score 9.0

References

http://cerebusforensics.com/yealink/exploit.html
https://sway.office.com/3pCb559LYVuT0eig
http://cerebusforensics.com/yealink/exploit.html
https://sway.office.com/3pCb559LYVuT0eig

Products affected by CVE-2019-14657

Yeahlink » T49g » Version: N/A

cpe:2.3:h:yeahlink:t49g:-
Yeahlink » T58v » Version: N/A

cpe:2.3:h:yeahlink:t58v:-
Yeahlink » Vp59 » Version: N/A

cpe:2.3:h:yeahlink:vp59:-
Yeahlink » T49g Firmware » Version: Any

cpe:2.3:o:yeahlink:t49g_firmware:*
Yeahlink » T58v Firmware » Version: Any

cpe:2.3:o:yeahlink:t58v_firmware:*
Yeahlink » Vp59 Firmware » Version: Any

cpe:2.3:o:yeahlink:vp59_firmware:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2019-14657

Products

Pricing

Contact Us