CVE-2013-3542 – Grandstream Backdoor / Cross Site Request Forgery / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2013-3542
Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models with firmware 1.0.4.11, have a hardcoded account "!#/" with the same password, which makes it easier for remote attackers to obtain access via a TELNET session. Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, y posiblemente otros modelos de cámara con versión de firmware 1.0.4.11, poseen una cuenta embebida "!#/" con la misma contraseña, lo que facilita a atacantes remotos obtener acceso por medio de una sesión TELNET. Grandstream Series IP cameras suffer from backdoor, cross site request forgery, and cross site scripting vulnerabilities. • http://seclists.org/fulldisclosure/2013/Jun/84 https://www.youtube.com/watch?v=XkCBs4lenhI • CWE-798: Use of Hard-coded Credentials •
CVE-2013-3962 – Grandstream Backdoor / Cross Site Request Forgery / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2013-3962
Cross-site scripting (XSS) vulnerability in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models before firmware 1.0.4.44, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. Vulnerabilidad de XSS en Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, y posiblemente otros modelos de cámara anteriores al firmware 1.0.4.44, permite a atacantes remotos inyectar script web arbitrario o HTML a través de PATH_INFO. Grandstream Series IP cameras suffer from backdoor, cross site request forgery, and cross site scripting vulnerabilities. • http://seclists.org/fulldisclosure/2013/Jun/84 http://www.grandstream.com/firmware/BETATEST/GXV35xx_GXV36xx_H/Release_Note_GXV35xx_GXV36xx_H1.0.4.44.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-3963 – Grandstream Multiple IP Cameras - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-3963
Cross-site request forgery (CSRF) vulnerability in goform/usermanage in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models allows remote attackers to hijack the authentication of unspecified victims for requests that add users. Vulnerabilidad de CSRF en goform/usermanage en Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, y posiblemente otros modelos de cámara permite a atacantes remotos secuestrar la autenticación de víctimas sin especificar para peticiones que incluyan usuarios. Grandstream Series IP cameras suffer from backdoor, cross site request forgery, and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/38584 http://seclists.org/fulldisclosure/2013/Jun/84 • CWE-352: Cross-Site Request Forgery (CSRF) •