Vulnerability Description
The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Grandstream | Ucm6200 Firmware | < 1.0.19.20 |
| Grandstream | Ucm6200 | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-InjExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswExploitThird Party AdvisoryVDB Entry
- https://www.tenable.com/security/research/tra-2020-15ExploitThird Party Advisory
- http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-InjExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswExploitThird Party AdvisoryVDB Entry
- https://www.tenable.com/security/research/tra-2020-15ExploitThird Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-US Government Resource
FAQ
What is CVE-2020-5722?
CVE-2020-5722 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands...
How severe is CVE-2020-5722?
CVE-2020-5722 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-5722?
Check the references section above for vendor advisories and patch information. Affected products include: Grandstream Ucm6200 Firmware, Grandstream Ucm6200.