CVE-2019-14656

Published: Oct 8, 2019Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP.

Affected (3)

Products: Yeahlink: Vp59 Firmware, T49g Firmware, T58v Firmware

3 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yeahlink Vp59 Firmware	Up to 2019-08-04

Running on/with	Platform Versions
Yeahlink Vp59	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yeahlink T49g Firmware	Up to 2019-08-04

Running on/with	Platform Versions
Yeahlink T49g	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yeahlink T58v Firmware	Up to 2019-08-04

Running on/with	Platform Versions
Yeahlink T58v	All versions

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

http://cerebusforensics.com/yealink/exploit.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://sway.office.com/3pCb559LYVuT0eig

Source: cve@mitre.org

ExploitThird Party Advisory

http://cerebusforensics.com/yealink/exploit.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://sway.office.com/3pCb559LYVuT0eig

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.