Vulnerability Details CVE-2020-5724
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.529
EPSS Ranking 97.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
Products affected by CVE-2020-5724
-
cpe:2.3:h:grandstream:ucm6202:-
-
cpe:2.3:h:grandstream:ucm6204:-
-
cpe:2.3:h:grandstream:ucm6208:-
-
cpe:2.3:o:grandstream:ucm6202_firmware:*
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.10.44
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.11.27
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.12.19
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.13.14
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.14.24
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.15.16
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.16.20
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.17.16
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.18.13
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.19.20
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.19.21
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.2.97
-
cpe:2.3:o:grandstream:ucm6204_firmware:1.0.9.97
-
cpe:2.3:o:grandstream:ucm6208_firmware:*