Vulnerability CVE-2020-5722


Published: 2020-03-23

Description:
The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.

See advisories in our WLB2 database:
Topic
Author
Date
High
Grandstream UCM62xx IP PBX sendPasswordEmail Remote Code Execution
jbaines-r7
26.01.2022

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html
https://www.tenable.com/security/research/tra-2020-15

Copyright 2024, cxsecurity.com

 

Back to Top