Vulnerabilities > Grandstream > High

DATE CVE VULNERABILITY TITLE RISK
2020-04-14 CVE-2020-5738 Link Following vulnerability in Grandstream products
Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command execution when an attacker uploads a specially crafted tar file to the HTTP /cgi-bin/upload_vpntar interface.
network
low complexity
grandstream CWE-59
8.8
8.8
2020-03-30 CVE-2020-5726 SQL Injection vulnerability in Grandstream products
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888.
network
low complexity
grandstream CWE-89
7.5
7.5
2020-03-30 CVE-2020-5724 SQL Injection vulnerability in Grandstream products
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint.
network
low complexity
grandstream CWE-89
7.5
7.5
2019-03-30 CVE-2019-10663 SQL Injection vulnerability in Grandstream Ucm6204 Firmware
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.
network
low complexity
grandstream CWE-89
8.8
8.8
2019-03-30 CVE-2019-10662 OS Command Injection vulnerability in Grandstream Ucm6204 Firmware
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.
network
low complexity
grandstream CWE-78
8.8
8.8
2019-03-30 CVE-2019-10660 OS Command Injection vulnerability in Grandstream Gxv3611Ir HD Firmware
Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.
network
low complexity
grandstream CWE-78
8.8
8.8
2019-03-30 CVE-2019-10659 OS Command Injection vulnerability in Grandstream Gxv3370 Firmware and Wp820 Firmware
Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.
network
low complexity
grandstream CWE-78
8.8
8.8
2019-03-30 CVE-2019-10658 OS Command Injection vulnerability in Grandstream Gwn7610 Firmware
Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.
network
low complexity
grandstream CWE-78
8.8
8.8
2019-03-30 CVE-2019-10656 OS Command Injection vulnerability in Grandstream Gwn7000 Firmware
Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call.
network
low complexity
grandstream CWE-78
8.8
8.8
2017-11-06 CVE-2017-16565 Cross-Site Request Forgery (CSRF) vulnerability in Grandstream Ht802 Firmware
Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests.
network
low complexity
grandstream CWE-352
8.8
8.8