Vulnerabilities > Grandstream

DATE CVE VULNERABILITY TITLE RISK
2019-04-01 CVE-2018-17565 OS Command Injection vulnerability in Grandstream products
Shell Metacharacter Injection in the SSH configuration interface on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to execute arbitrary system commands and gain a root shell.
network
low complexity
grandstream CWE-78
critical
10.0
2019-04-01 CVE-2018-17564 Unspecified vulnerability in Grandstream products
A Malformed Input String to /cgi-bin/delete_CA on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to delete configuration parameters and gain admin access to the device.
network
low complexity
grandstream
7.5
2019-04-01 CVE-2018-17563 Missing Encryption of Sensitive Data vulnerability in Grandstream products
A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device's configuration in cleartext.
network
low complexity
grandstream CWE-311
5.0
2019-03-30 CVE-2019-10663 SQL Injection vulnerability in Grandstream Ucm6204 Firmware
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.
network
low complexity
grandstream CWE-89
6.5
2019-03-30 CVE-2019-10662 OS Command Injection vulnerability in Grandstream Ucm6204 Firmware
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.
network
low complexity
grandstream CWE-78
8.8
2019-03-30 CVE-2019-10661 Improper Authentication vulnerability in Grandstream Gxv3611Ir HD Firmware
On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password.
network
low complexity
grandstream CWE-287
critical
9.8
2019-03-30 CVE-2019-10660 OS Command Injection vulnerability in Grandstream Gxv3611Ir HD Firmware
Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.
network
low complexity
grandstream CWE-78
8.8
2019-03-30 CVE-2019-10659 OS Command Injection vulnerability in Grandstream Gxv3370 Firmware and Wp820 Firmware
Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.
network
low complexity
grandstream CWE-78
8.8
2019-03-30 CVE-2019-10658 OS Command Injection vulnerability in Grandstream Gwn7610 Firmware
Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.
network
low complexity
grandstream CWE-78
8.8
2019-03-30 CVE-2019-10657 OS Command Injection vulnerability in Grandstream Gwn7000 Firmware and Gwn7610 Firmware
Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.
network
low complexity
grandstream CWE-78
6.5