CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10660
https://notcve.org/view.php?id=CVE-2019-10660
30 Mar 2019 — Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field. Los dispositivos Grandstream GXV3611IR_HD, en versiones anteriores a la 1.0.3.23, permiten a los usuarios remotos ejecutar código arbitrario mediante metacaracteres shell en el campo "logserver" en /goform/systemlog?cmd=set. • https://github.com/scarvell/grandstream_exploits • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-10659
https://notcve.org/view.php?id=CVE-2019-10659
30 Mar 2019 — Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field. Los dispositivos Grandstream GXV3370, en versiones anteriores a la 1.0.1.41, y Grandstream WP820, en versiones anteriores a la 1.0.3.6, permite a los usuarios remotos autenticados ejecutar código arbitrario mediante metacaracteres shell en un campo "priority" en /manager?action=getlogcat. • https://github.com/scarvell/grandstream_exploits • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10658
https://notcve.org/view.php?id=CVE-2019-10658
30 Mar 2019 — Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call. Los dispositivos Grandstream GWN7610, en versiones anteriores a la 1.0.8.18, permiten a los usuarios remotos ejecutar código arbitrario mediante metacaracteres shell en el nombre de archivo en una llamada API en /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webr... • https://github.com/scarvell/grandstream_exploits • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-10657
https://notcve.org/view.php?id=CVE-2019-10657
30 Mar 2019 — Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request. Los dispositivos Grandstream GWN7000, en versiones anteriores a la 1.0.6.32, y Grandstream GWN7610, en versiones anteriores a la 1.0.8.18, permite a los usuarios remotos autenticados descubrir contraseñas mediante una petición de configuración en /ubus/uci.apply. • https://github.com/scarvell/grandstream_exploits • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10656
https://notcve.org/view.php?id=CVE-2019-10656
30 Mar 2019 — Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call. Los dispositivos Grandstream GWN7000, en versiones anteriores a la 1.0.6.32, permiten a los usuarios remotos ejecutar código arbitrario mediante metacaracteres shell en el nombre de archivo en una llamada API en /ubus/uci.apply update_nds_webroot_from_tmp. • https://github.com/scarvell/grandstream_exploits • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 91%CPEs: 10EXPL: 5CVE-2019-10655 – Grandstream GXV31XX settimezone Unauthenticated Command Execution
https://notcve.org/view.php?id=CVE-2019-10655
30 Mar 2019 — Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpReques... • https://packetstorm.news/files/id/165931 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 1CVE-2017-16563
https://notcve.org/view.php?id=CVE-2017-16563
06 Nov 2017 — Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vonage (Grandstream) HT802 devices allows attackers to modify settings, related to cgi-bin/update. Cross-Site Request Forgery (CSRF) en la pantalla Basic Settings en dispositivos Vonage (Grandstream) HT802 permite que atacantes modifiquen la configuración. Esto se relaciona con cgi-bin/update. • https://distributedcompute.com/2017/11/04/vonage-ht802-multiple-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2017-16564
https://notcve.org/view.php?id=CVE-2017-16564
06 Nov 2017 — Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on Vonage (Grandstream) HT802 devices allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148). Una vulnerabilidad de Cross-Site Scripting (XSS) persistente en /cgi-bin/config2 en dispositivos Vonage (Grandstream) HT802 permite que usuarios remotos autenticados inyecten scripts web o HTML arbitrarios mediante el campo ID de clase de proveedor DHCP (P148). • https://distributedcompute.com/2017/11/04/vonage-ht802-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2017-16565
https://notcve.org/view.php?id=CVE-2017-16565
06 Nov 2017 — Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests. Cross-Site Request Forgery (CSRF) en /cgi-bin/login en dispositivos Vonage (Grandstream) HT802 permite que atacantes autentiquen a un usuario mediante la pantalla de login empleando la contraseña por defecto 123 y enviando peticiones arbitrarias. • https://distributedcompute.com/2017/11/04/vonage-ht802-multiple-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2016-1519 – Grandstream Wave 1.0.1.26 TLS Man-In-The-Middle
https://notcve.org/view.php?id=CVE-2016-1519
18 Mar 2016 — The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate. El paquete com.softphone.common en la Grandstream Wave app 1.0.1.26 y versiones anteriores para Android no valida adecuadamente certificados SSL, que permite a los atacantes man-in-the-middle suplantar el servidor de aprovisionamiento de Grandstream a través d... • http://packetstormsecurity.com/files/136290/Grandstream-Wave-1.0.1.26-TLS-Man-In-The-Middle.html • CWE-295: Improper Certificate Validation •