XSS in Linksys SPA941
What’s more is that the HTTP interface shows a call history. The call history page makes use of information gathered from the SIP messages themselves to display which numbers tried to call the phone.
This post on full-disclosure mailing list shows how this feature can be abused so that malformed SIP messages are able to inject html scripts in the web interface itself.
This is a reminder that when changing from one format or protocol to
another, the underlying code needs to make sure that the data is
properly escaped. In this case, the http server or underlying scripts
need to escape the miss call entries for html characters.