CVE-2020-5722

Опубликовано: 23 мар. 2020

Источник: nvd

CVSS3: 9.8

CVSS2: 10

EPSS Критический

Описание

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.

Ссылки

http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html
Exploit
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://www.tenable.com/security/research/tra-2020-15
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html
Exploit
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://www.tenable.com/security/research/tra-2020-15
Exploit
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5722
US Government Resource

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:grandstream:ucm6200_firmware:*:*:*:*:*:*:*:*

Версия до 1.0.19.20 (исключая)

cpe:2.3:h:grandstream:ucm6200:-:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.93481

Критический

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-cggp-723h-vg48

CVSS3: 9.8

github

больше 3 лет назад

BDU:2021-04390

CVSS3: 9.8

fstec

почти 6 лет назад

Уязвимость HTTP-интерфейса микропрограммного обеспечения маршрутизаторов Grandstream UCM6200, позволяющая нарушителю выполнить произвольные команды с привилегиями root

EPSS

Процентиль: 100%

0.93481

Критический

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-89