CVE-2020-25217
https://notcve.org/view.php?id=CVE-2020-25217
Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allows Command Injection as root in its administrative web interface. El teléfono VoIP Grandstream GRP261x que ejecuta la versión de firmware 1.0.3.6 (Base), permite una Inyección de Comando como root en su interfaz web administrativa • https://cwe.mitre.org/data/definitions/77.html https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2021-0001/FEYE-2021-0001.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2020-25218
https://notcve.org/view.php?id=CVE-2020-25218
Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allow Authentication Bypass in its administrative web interface. El teléfono VoIP Grandstream GRP261x que ejecuta la versión de firmware 1.0.3.6 (Base), permite una Omisión de Autenticación en su interfaz web administrativa • https://cwe.mitre.org/data/definitions/306.html https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2021-0002/FEYE-2021-0002.md • CWE-306: Missing Authentication for Critical Function •
CVE-2020-5763
https://notcve.org/view.php?id=CVE-2020-5763
Grandstream HT800 series firmware version 1.0.17.5 and below contain a backdoor in the SSH service. An authenticated remote attacker can obtain a root shell by correctly answering a challenge prompt. Grandstream serie HT800 versiones de firmware 1.0.17.5 y posteriores, contiene una backdoor en el servicio SSH. Un atacante remoto autenticado puede obtener un root shell cuando responde correctamente una petición de desafío • https://www.tenable.com/security/research/tra-2020-43 https://www.tenable.com/security/research/tra-2020-47 • CWE-326: Inadequate Encryption Strength CWE-489: Active Debug Code •
CVE-2020-5762
https://notcve.org/view.php?id=CVE-2020-5762
Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to a denial of service attack against the TR-069 service. An unauthenticated remote attacker can stop the service due to a NULL pointer dereference in the TR-069 service. This condition is triggered due to mishandling of the HTTP Authentication field. Grandstream serie HT800 versiones de firmware 1.0.17.5 y posteriores, es vulnerable a un ataque de denegación de servicio contra el servicio TR-069. Un atacante remoto no autenticado puede detener el servicio debido a una desreferencia del puntero NULL en el servicio TR-069. • https://www.tenable.com/security/research/tra-2020-43 https://www.tenable.com/security/research/tra-2020-47 • CWE-476: NULL Pointer Dereference •
CVE-2020-5761
https://notcve.org/view.php?id=CVE-2020-5761
Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to CPU exhaustion due to an infinite loop in the TR-069 service. Unauthenticated remote attackers can trigger this case by sending a one character TCP message to the TR-069 service. Grandstream serie HT800 versiones de firmware 1.0.17.5 y posteriores, es vulnerable a un agotamiento del CPU debido a un bucle infinito en el servicio TR-069. Los atacantes remotos no autenticados pueden activar este caso mediante el envío de un mensaje TCP de un carácter hacia el servicio TR-069 • https://www.tenable.com/security/research/tra-2020-43 https://www.tenable.com/security/research/tra-2020-47 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •