Vulnerabilities > Grandstream

DATE CVE VULNERABILITY TITLE RISK
2020-07-17 CVE-2020-5757 OS Command Injection vulnerability in Grandstream products
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP.
network
low complexity
grandstream CWE-78
critical
10.0
2020-07-17 CVE-2020-5756 OS Command Injection vulnerability in Grandstream Gwn7000 Firmware 1.0.6.32
Grandstream GWN7000 firmware version 1.0.9.4 and below allows authenticated remote users to modify the system's crontab via undocumented API.
network
low complexity
grandstream CWE-78
critical
9.0
2020-04-14 CVE-2020-5739 Code Injection vulnerability in Grandstream products
Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command execution when an attacker adds an OpenVPN up script to the phone's VPN settings via the "Additional Settings" field in the web interface.
network
low complexity
grandstream CWE-94
critical
9.0
2020-04-14 CVE-2020-5738 Link Following vulnerability in Grandstream products
Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command execution when an attacker uploads a specially crafted tar file to the HTTP /cgi-bin/upload_vpntar interface.
network
low complexity
grandstream CWE-59
critical
9.0
2020-03-30 CVE-2020-5726 SQL Injection vulnerability in Grandstream products
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888.
network
low complexity
grandstream CWE-89
5.0
2020-03-30 CVE-2020-5725 SQL Injection vulnerability in Grandstream products
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint.
4.3
2020-03-30 CVE-2020-5724 SQL Injection vulnerability in Grandstream products
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint.
network
low complexity
grandstream CWE-89
5.0
2020-03-30 CVE-2020-5723 Cleartext Storage of Sensitive Information vulnerability in Grandstream products
The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database.
network
low complexity
grandstream CWE-312
5.0
2020-03-23 CVE-2020-5722 SQL Injection vulnerability in Grandstream Ucm6200 Firmware
The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request.
network
low complexity
grandstream CWE-89
critical
10.0
2019-12-11 CVE-2013-3542 Use of Hard-coded Credentials vulnerability in Grandstream products
Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models with firmware 1.0.4.11, have a hardcoded account "!#/" with the same password, which makes it easier for remote attackers to obtain access via a TELNET session.
network
low complexity
grandstream CWE-798
critical
10.0