Vulnerabilities > Grandstream > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-03-30 CVE-2020-5725 SQL Injection vulnerability in Grandstream products
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint.
network
high complexity
grandstream CWE-89
5.9
2019-04-01 CVE-2018-17563 Missing Encryption of Sensitive Data vulnerability in Grandstream products
A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device's configuration in cleartext.
network
low complexity
grandstream CWE-311
5.3
2019-03-30 CVE-2019-10657 OS Command Injection vulnerability in Grandstream Gwn7000 Firmware and Gwn7610 Firmware
Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.
network
low complexity
grandstream CWE-78
6.5
2017-11-06 CVE-2017-16564 Cross-site Scripting vulnerability in Grandstream Ht802 Firmware
Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on Vonage (Grandstream) HT802 devices allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148).
network
low complexity
grandstream CWE-79
5.4
2017-04-21 CVE-2016-1519 Improper Certificate Validation vulnerability in Grandstream Wave 1.0.1.26
The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate.
network
high complexity
grandstream CWE-295
5.9