CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
100.0%
A SQL injection vulnerability exists in Grandstream UCM6200 Series devices. An unauthenticated, remote attacker can exploit this to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(160530);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");
script_cve_id("CVE-2020-5722");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/07/28");
script_name(english:"Grandstream Networks UCM6200 Series SQLi (Phone Web UI)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is vulnerable and can be compromised");
script_set_attribute(attribute:"description", value:
"A SQL injection vulnerability exists in Grandstream UCM6200 Series devices. An unauthenticated, remote attacker can
exploit this to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails
in versions before 1.0.20.17.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2020-15");
script_set_attribute(attribute:"solution", value:
"Update to the fixed version as per the advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5722");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Grandstream UCM62xx IP PBX sendPasswordEmail RCE');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/23");
script_set_attribute(attribute:"patch_publication_date", value:"2020/02/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/05/05");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("grandstream_www_detect.nbin");
script_require_keys("installed_sw/Grandstream Phone");
script_require_ports("Services/www", 80, 443);
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var port = get_http_port(default:80, embedded:TRUE);
var app_info = vcf::get_app_info(app:'Grandstream Phone', port:port, webapp:TRUE);
# UCM6200 Series Models only. Empty model and paranoid still runs
if (empty_or_null(app_info.model))
{
if (report_paranoia < 2)
audit(AUDIT_POTENTIAL_VULN, 'Grandstream device', app_info.version);
else
app_info.model = UNKNOWN_VER;
}
else if (app_info.model !~ "UCM62[0-9]{2}($|[^0-9])")
audit(AUDIT_HOST_NOT, 'an affected Grandstream device');
var constraints = [
{ 'fixed_version' : '1.0.20.17' }
];
vcf::grandstream::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{'sqli':TRUE});
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
100.0%