CVE-2020-5757

Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:grandstream:ucm6202_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:grandstream:ucm6202:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:grandstream:ucm6204_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:grandstream:ucm6204:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:grandstream:ucm6208_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:grandstream:ucm6208:-:*:*:*:*:*:*:*

History

21 Nov 2024, 05:34

Type Values Removed Values Added
References () https://www.tenable.com/security/research/tra-2020-42 - Not Applicable () https://www.tenable.com/security/research/tra-2020-42 - Not Applicable

Information

Published : 2020-07-17 21:15

Updated : 2024-11-21 05:34


NVD link : CVE-2020-5757

Mitre link : CVE-2020-5757

CVE.ORG link : CVE-2020-5757


JSON object : View

Products Affected

grandstream

  • ucm6208
  • ucm6204
  • ucm6202
  • ucm6208_firmware
  • ucm6204_firmware
  • ucm6202_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')