Lucene search

TenableCVE-2020-5722

HistoryMar 23, 2020 - 8:15 p.m.

CVE-2020-5722

2020-03-2320:15:12

CWE-89

tenable

web.nvd.nist.gov

929

In Wild

grandstream

ucm6200

sql injection

http interface

remote

unauthenticated

cve-2020-5722

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.975

Percentile

100.0%

JSON

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.

Affected configurations

Nvd

Node

grandstreamucm6200_firmwareRange<1.0.19.20

AND

grandstreamucm6200Match-

VendorProductVersionCPE
grandstreamucm6200_firmware*cpe:2.3:o:grandstream:ucm6200_firmware:*:*:*:*:*:*:*:*
grandstreamucm6200-cpe:2.3:h:grandstream:ucm6200:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
grandstream	ucm6200_firmware	*	cpe:2.3:o:grandstream:ucm6200_firmware::::::::
grandstream	ucm6200	-	cpe:2.3:h:grandstream:ucm6200:-:::::::*

CNA Affected

[
  {
    "product": "Grandstream UCM6200 Series",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Before 1.0.20.17"
      }
    ]
  }
]