Vulnerabilities > Grandstream

DATE CVE VULNERABILITY TITLE RISK
2019-03-30 CVE-2019-10658 OS Command Injection vulnerability in Grandstream Gwn7610 Firmware
Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.
network
low complexity
grandstream CWE-78
8.8
2019-03-30 CVE-2019-10657 OS Command Injection vulnerability in Grandstream Gwn7000 Firmware and Gwn7610 Firmware
Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.
network
low complexity
grandstream CWE-78
6.5
2019-03-30 CVE-2019-10656 OS Command Injection vulnerability in Grandstream Gwn7000 Firmware
Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call.
network
low complexity
grandstream CWE-78
8.8
2019-03-30 CVE-2019-10655 OS Command Injection vulnerability in Grandstream products
Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication.
network
low complexity
grandstream CWE-78
critical
9.8
2017-11-06 CVE-2017-16565 Cross-Site Request Forgery (CSRF) vulnerability in Grandstream Ht802 Firmware
Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests.
network
low complexity
grandstream CWE-352
8.8
2017-11-06 CVE-2017-16564 Cross-site Scripting vulnerability in Grandstream Ht802 Firmware
Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on Vonage (Grandstream) HT802 devices allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148).
network
low complexity
grandstream CWE-79
5.4
2017-11-06 CVE-2017-16563 Cross-Site Request Forgery (CSRF) vulnerability in Grandstream Ht802 Firmware
Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vonage (Grandstream) HT802 devices allows attackers to modify settings, related to cgi-bin/update.
network
low complexity
grandstream CWE-352
8.0
2017-04-21 CVE-2016-1520 7PK - Security Features vulnerability in Grandstream Wave 1.0.1.26
The Grandstream Wave app 1.0.1.26 and earlier for Android does not use HTTPS when retrieving update information, which might allow man-in-the-middle attackers to execute arbitrary code via a crafted application.
local
low complexity
grandstream CWE-254
7.8
2017-04-21 CVE-2016-1519 Improper Certificate Validation vulnerability in Grandstream Wave 1.0.1.26
The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate.
network
high complexity
grandstream CWE-295
5.9
2017-04-21 CVE-2016-1518 Improper Access Control vulnerability in Grandstream Wave 1.0.1.26
The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/.
network
high complexity
grandstream CWE-284
8.1