Vulnerability Description
The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Grandstream | Wave | <= 1.0.1.26 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/136280/Grandstream-Wave-1.0.1.26-Man-In-TheThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/archive/1/537818/100/0/threaded
- https://rt-solutions.de/wp-content/uploads/2016/04/CVE-2016-1518-insecure-provisThird Party Advisory
- http://packetstormsecurity.com/files/136280/Grandstream-Wave-1.0.1.26-Man-In-TheThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/archive/1/537818/100/0/threaded
- https://rt-solutions.de/wp-content/uploads/2016/04/CVE-2016-1518-insecure-provisThird Party Advisory
FAQ
What is CVE-2016-1518?
CVE-2016-1518 is a vulnerability with a CVSS score of 8.1 (HIGH). The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequen...
How severe is CVE-2016-1518?
CVE-2016-1518 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-1518?
Check the references section above for vendor advisories and patch information. Affected products include: Grandstream Wave.