CVE-2015-2866 – Grandsteam GXV3611_HD - SQL Injection
https://notcve.org/view.php?id=CVE-2015-2866
SQL injection vulnerability on the Grandstream GXV3611_HD camera with firmware before 1.0.3.9 beta allows remote attackers to execute arbitrary SQL commands by attempting to establish a TELNET session with a crafted username. Vulnerabilidad de inyección SQL en la camera Grandstream GXV3611_HD con firmware anterior a 1.0.3.9 beta permite a atacantes remotos ejecutar comandos SQL arbitrarios mediante el intento de establecer una sesión TELNET con un nombre de usuario manipulado. • https://www.exploit-db.com/exploits/40441 http://www.kb.cert.org/vuls/id/253708 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2013-3542 – Grandstream Backdoor / Cross Site Request Forgery / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2013-3542
Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models with firmware 1.0.4.11, have a hardcoded account "!#/" with the same password, which makes it easier for remote attackers to obtain access via a TELNET session. Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, y posiblemente otros modelos de cámara con versión de firmware 1.0.4.11, poseen una cuenta embebida "!#/" con la misma contraseña, lo que facilita a atacantes remotos obtener acceso por medio de una sesión TELNET. Grandstream Series IP cameras suffer from backdoor, cross site request forgery, and cross site scripting vulnerabilities. • http://seclists.org/fulldisclosure/2013/Jun/84 https://www.youtube.com/watch?v=XkCBs4lenhI • CWE-798: Use of Hard-coded Credentials •
CVE-2013-3962 – Grandstream Backdoor / Cross Site Request Forgery / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2013-3962
Cross-site scripting (XSS) vulnerability in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models before firmware 1.0.4.44, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. Vulnerabilidad de XSS en Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, y posiblemente otros modelos de cámara anteriores al firmware 1.0.4.44, permite a atacantes remotos inyectar script web arbitrario o HTML a través de PATH_INFO. Grandstream Series IP cameras suffer from backdoor, cross site request forgery, and cross site scripting vulnerabilities. • http://seclists.org/fulldisclosure/2013/Jun/84 http://www.grandstream.com/firmware/BETATEST/GXV35xx_GXV36xx_H/Release_Note_GXV35xx_GXV36xx_H1.0.4.44.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-3963 – Grandstream Multiple IP Cameras - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-3963
Cross-site request forgery (CSRF) vulnerability in goform/usermanage in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models allows remote attackers to hijack the authentication of unspecified victims for requests that add users. Vulnerabilidad de CSRF en goform/usermanage en Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, y posiblemente otros modelos de cámara permite a atacantes remotos secuestrar la autenticación de víctimas sin especificar para peticiones que incluyan usuarios. Grandstream Series IP cameras suffer from backdoor, cross site request forgery, and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/38584 http://seclists.org/fulldisclosure/2013/Jun/84 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2007-5789
https://notcve.org/view.php?id=CVE-2007-5789
The Grandstream HT-488 0.1 allows remote attackers to cause a denial of service (device crash) via a flood of fragmented packets to port 5060. The Grandstream HT-488 0.1 permite a atacantes remotos provocar una denegación de servicio (caída del dispositivo) mediante inundación de paquetes fragmentados al puerto 5060. • http://osvdb.org/40186 http://secunia.com/advisories/27401 http://www.securityfocus.com/bid/26349 http://www.sipera.com/index.php?action=resources%2Cthreat_advisory&tid=362 https://exchange.xforce.ibmcloud.com/vulnerabilities/37414 •