CVE-2024–28442 | Yealink IP Phone | WebView Escape || Path Traversal
Note: Throughout the video proof of concept (POC) creation phase, there was no disclosure or exposure of any employee, organizational, or user data, ensuring strict adherence to data privacy protocols and maintaining the confidentiality of sensitive information.
During a private assessment of Yealink IP Phone MP58/VP59, a security vulnerability was discovered. This vulnerability allows for the retrieval of sensitive files containing usernames and encrypted passwords
Affected Device : Yealink MP58/VP59 Teams Edition
Affected Firmware Version: 122.15.0.33/ 91.15.0.118
Fixed Firmware Version: 122.15.0.142
Steps to Reproduce:
- Power on the Yealink IP Phone.
- On the home screen of Microsoft Teams, click on “Sign In”
3. Upon encountering an error page, proceed by selecting the “Ok” button to dismiss the error prompt.