Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.
References
Link | Resource |
---|---|
https://www.tenable.com/security/research/tra-2020-42 | Not Applicable |
https://www.tenable.com/cve/CVE-2020-5757 | Third Party Advisory |
https://www.tenable.com/security/research/tra-2020-42 | Not Applicable |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
History
21 Nov 2024, 05:34
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.tenable.com/security/research/tra-2020-42 - Not Applicable |
Information
Published : 2020-07-17 21:15
Updated : 2024-11-21 05:34
NVD link : CVE-2020-5757
Mitre link : CVE-2020-5757
CVE.ORG link : CVE-2020-5757
JSON object : View
Products Affected
grandstream
- ucm6208_firmware
- ucm6202
- ucm6204
- ucm6202_firmware
- ucm6208
- ucm6204_firmware
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')