Shodan
Vulnerabilities
Vulnerable Software
Grandstream:  Security Vulnerabilities
CVE-2019-10657
Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-03-30
CVE-2019-10658
Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.
CVSS Score
8.8
EPSS Score
0.022
Published
2019-03-30
CVE-2019-10659
Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.
CVSS Score
8.8
EPSS Score
0.024
Published
2019-03-30
CVE-2019-10660
Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.
CVSS Score
8.8
EPSS Score
0.024
Published
2019-03-30
CVE-2019-10661
On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-03-30
CVE-2019-10662
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.
CVSS Score
8.8
EPSS Score
0.102
Published
2019-03-30
CVE-2019-10663
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.
CVSS Score
8.8
EPSS Score
0.036
Published
2019-03-30
CVE-2017-16563
Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vonage (Grandstream) HT802 devices allows attackers to modify settings, related to cgi-bin/update.
CVSS Score
8.0
EPSS Score
0.001
Published
2017-11-06
CVE-2017-16564
Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on Vonage (Grandstream) HT802 devices allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148).
CVSS Score
5.4
EPSS Score
0.002
Published
2017-11-06
CVE-2017-16565
Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-11-06


Products
Pricing
Contact Us

Shodan ® - All rights reserved