CVE-2024-33109

Directory Traversal in the web interface of the Tiptel IP 286 with firmware version 2.61.13.10 allows attackers to overwrite arbitrary files on the phone via the Ringtone upload function.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:ergophone:tiptel_ip_286_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:ergophone:tiptel_ip_286:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:yealink:sip-t28p_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yealink:sip-t28p:-:*:*:*:*:*:*:*

History

25 Sep 2024, 14:47

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.9
v2 : unknown
v3 : 9.8
CPE cpe:2.3:o:ergophone:tiptel_ip_286_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:ergophone:tiptel_ip_286:-:*:*:*:*:*:*:*
cpe:2.3:o:yealink:sip-t28p_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yealink:sip-t28p:-:*:*:*:*:*:*:*
First Time Ergophone
Ergophone tiptel Ip 286 Firmware
Ergophone tiptel Ip 286
Yealink sip-t28p Firmware
Yealink sip-t28p
Yealink
References () http://tiptel.com - () http://tiptel.com - Product
References () https://www.bdosecurity.de/en-gb/advisories/cve-2024-33109 - () https://www.bdosecurity.de/en-gb/advisories/cve-2024-33109 - Third Party Advisory

20 Sep 2024, 13:35

Type Values Removed Values Added
CWE CWE-22

20 Sep 2024, 12:30

Type Values Removed Values Added
Summary
  • (es) Directory Traversal en la interfaz web del Tiptel IP 286 con la versión de firmware 2.61.13.10 permite a los atacantes sobrescribir archivos arbitrarios en el teléfono a través de la función de carga de tono de llamada.

19 Sep 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-19 19:15

Updated : 2024-09-25 14:47


NVD link : CVE-2024-33109

Mitre link : CVE-2024-33109

CVE.ORG link : CVE-2024-33109


JSON object : View

Products Affected

yealink

  • sip-t28p_firmware
  • sip-t28p

ergophone

  • tiptel_ip_286_firmware
  • tiptel_ip_286
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')