Filtered by vendor Grandstream
Subscribe
Total
50 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25217 | 1 Grandstream | 14 Grp2612, Grp2612 Firmware, Grp2612p and 11 more | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allows Command Injection as root in its administrative web interface. | |||||
| CVE-2019-10663 | 1 Grandstream | 2 Ucm6204, Ucm6204 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI. | |||||
| CVE-2019-10662 | 1 Grandstream | 2 Ucm6204, Ucm6204 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI. | |||||
| CVE-2019-10661 | 1 Grandstream | 2 Gxv3611ir Hd, Gxv3611ir Hd Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password. | |||||
| CVE-2019-10660 | 1 Grandstream | 2 Gxv3611ir Hd, Gxv3611ir Hd Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field. | |||||
| CVE-2019-10659 | 1 Grandstream | 4 Gxv3370, Gxv3370 Firmware, Wp820 and 1 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field. | |||||
| CVE-2019-10658 | 1 Grandstream | 2 Gwn7610, Gwn7610 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call. | |||||
| CVE-2019-10657 | 1 Grandstream | 4 Gwn7000, Gwn7000 Firmware, Gwn7610 and 1 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request. | |||||
| CVE-2019-10656 | 1 Grandstream | 2 Gwn7000, Gwn7000 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call. | |||||
| CVE-2019-10655 | 1 Grandstream | 10 Gac2500, Gac2500 Firmware, Gvc3202 and 7 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd. | |||||
| CVE-2018-17565 | 1 Grandstream | 12 Gxp1610, Gxp1610 Firmware, Gxp1615 and 9 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Shell Metacharacter Injection in the SSH configuration interface on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to execute arbitrary system commands and gain a root shell. | |||||
| CVE-2018-17564 | 1 Grandstream | 12 Gxp1610, Gxp1610 Firmware, Gxp1615 and 9 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Malformed Input String to /cgi-bin/delete_CA on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to delete configuration parameters and gain admin access to the device. | |||||
| CVE-2018-17563 | 1 Grandstream | 12 Gxp1610, Gxp1610 Firmware, Gxp1615 and 9 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device's configuration in cleartext. | |||||
| CVE-2017-16565 | 1 Grandstream | 2 Ht802, Ht802 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests. | |||||
| CVE-2017-16564 | 1 Grandstream | 2 Ht802, Ht802 Firmware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on Vonage (Grandstream) HT802 devices allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148). | |||||
| CVE-2017-16563 | 1 Grandstream | 2 Ht802, Ht802 Firmware | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vonage (Grandstream) HT802 devices allows attackers to modify settings, related to cgi-bin/update. | |||||
| CVE-2016-1520 | 1 Grandstream | 1 Wave | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| The Grandstream Wave app 1.0.1.26 and earlier for Android does not use HTTPS when retrieving update information, which might allow man-in-the-middle attackers to execute arbitrary code via a crafted application. | |||||
| CVE-2016-1519 | 1 Grandstream | 1 Wave | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate. | |||||
| CVE-2016-1518 | 1 Grandstream | 1 Wave | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/. | |||||
| CVE-2015-2866 | 1 Grandstream | 2 Gxv3611 Hd, Gxv3611 Hd Firmware | 2024-11-21 | 7.5 HIGH | N/A |
| SQL injection vulnerability on the Grandstream GXV3611_HD camera with firmware before 1.0.3.9 beta allows remote attackers to execute arbitrary SQL commands by attempting to establish a TELNET session with a crafted username. | |||||