CVE-2020-5757

Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:grandstream:ucm6202_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:grandstream:ucm6202:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:grandstream:ucm6204_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:grandstream:ucm6204:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:grandstream:ucm6208_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:grandstream:ucm6208:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-07-17 21:15

Updated : 2024-02-28 17:47


NVD link : CVE-2020-5757

Mitre link : CVE-2020-5757

CVE.ORG link : CVE-2020-5757


JSON object : View

Products Affected

grandstream

  • ucm6208
  • ucm6202
  • ucm6202_firmware
  • ucm6208_firmware
  • ucm6204
  • ucm6204_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')