Vulnerabilities > Grandstream > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-07-29 CVE-2020-5762 NULL Pointer Dereference vulnerability in Grandstream products
Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to a denial of service attack against the TR-069 service.
network
low complexity
grandstream CWE-476
5.0
2020-03-30 CVE-2020-5726 SQL Injection vulnerability in Grandstream products
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888.
network
low complexity
grandstream CWE-89
5.0
2020-03-30 CVE-2020-5725 SQL Injection vulnerability in Grandstream products
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint.
4.3
2020-03-30 CVE-2020-5724 SQL Injection vulnerability in Grandstream products
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint.
network
low complexity
grandstream CWE-89
5.0
2020-03-30 CVE-2020-5723 Cleartext Storage of Sensitive Information vulnerability in Grandstream products
The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database.
network
low complexity
grandstream CWE-312
5.0
2019-04-01 CVE-2018-17563 Missing Encryption of Sensitive Data vulnerability in Grandstream products
A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device's configuration in cleartext.
network
low complexity
grandstream CWE-311
5.0
2019-03-30 CVE-2019-10663 SQL Injection vulnerability in Grandstream Ucm6204 Firmware
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.
network
low complexity
grandstream CWE-89
6.5
2019-03-30 CVE-2019-10657 OS Command Injection vulnerability in Grandstream Gwn7000 Firmware and Gwn7610 Firmware
Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.
network
low complexity
grandstream CWE-78
6.5
2017-11-06 CVE-2017-16565 Cross-Site Request Forgery (CSRF) vulnerability in Grandstream Ht802 Firmware
Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests.
6.8
2017-11-06 CVE-2017-16563 Cross-Site Request Forgery (CSRF) vulnerability in Grandstream Ht802 Firmware
Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vonage (Grandstream) HT802 devices allows attackers to modify settings, related to cgi-bin/update.
6.0