CVE-2020-5725

The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the login action with a crafted username and, through the use of timing attacks, can discover user passwords.

CVSS v3 5.9 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/156976/Grandstream-UCM6200-Series-WebSocket-1.0.20.20-SQL-Injection.html
https://www.tenable.com/security/research/tra-2020-17	Exploit Third Party Advisory
http://packetstormsecurity.com/files/156976/Grandstream-UCM6200-Series-WebSocket-1.0.20.20-SQL-Injection.html
https://www.tenable.com/security/research/tra-2020-17	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:grandstream:ucm6202_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:grandstream:ucm6202:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:grandstream:ucm6204_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:grandstream:ucm6204:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:grandstream:ucm6208_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:grandstream:ucm6208:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-03-30 20:15

Updated : 2024-11-21 05:34

NVD link : CVE-2020-5725

Mitre link : CVE-2020-5725

CVE.ORG link : CVE-2020-5725

JSON object : View

Products Affected

grandstream

ucm6208
ucm6204
ucm6202_firmware
ucm6204_firmware
ucm6208_firmware
ucm6202

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2020-5725", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2020-03-30T20:15:20.133", "references": [{"url": "http://packetstormsecurity.com/files/156976/Grandstream-UCM6200-Series-WebSocket-1.0.20.20-SQL-Injection.html", "source": "vulnreport@tenable.com"}, {"url": "https://www.tenable.com/security/research/tra-2020-17", "tags": ["Exploit", "Third Party Advisory"], "source": "vulnreport@tenable.com"}, {"url": "http://packetstormsecurity.com/files/156976/Grandstream-UCM6200-Series-WebSocket-1.0.20.20-SQL-Injection.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.tenable.com/security/research/tra-2020-17", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "vulnreport@tenable.com", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the login action with a crafted username and, through the use of timing attacks, can discover user passwords."}, {"lang": "es", "value": "La serie Grandstream UCM6200 versiones anteriores a 1.0.20.22, es vulnerable a una inyecci\u00f3n SQL por medio del endpoint websockify del servidor HTTP. Un atacante no autenticado remoto puede invocar la acci\u00f3n login con un nombre de usuario dise\u00f1ado y, mediante el uso de ataques de tiempo, puede detectar contrase\u00f1as de usuario."}], "lastModified": "2024-11-21T05:34:29.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:grandstream:ucm6202_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F55C1906-9C0D-4479-B545-059329485BCD", "versionEndExcluding": "1.0.20.22"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:grandstream:ucm6202:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9864BD0F-BE9C-4F72-AB57-77036699029B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:grandstream:ucm6204_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D9A2414-684F-4C61-BCAC-E7967A7BFF2B", "versionEndExcluding": "1.0.20.22"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:grandstream:ucm6204:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B5A26ABB-8BED-4E61-91AA-ABF1B90CBD81"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:grandstream:ucm6208_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3164240C-6CAB-4433-8EB3-5F09552A7F4D", "versionEndExcluding": "1.0.20.22"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:grandstream:ucm6208:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "EA744718-8862-4579-B9CF-E1E8137A02E6"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "vulnreport@tenable.com"}