// For flags

CVE-2019-10655

Grandstream GXV31XX settimezone Unauthenticated Command Execution

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.

Los dispositivos de Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 anteriores a la versión 1.0.3.219 Beta y GXV3240 anteriores a la 1.0.3.219 Beta permiten la ejecución remota de código mediante metacaracteres shell en un campo "priority" en /manager?action=getlogcat, en conjunto con un desbordamiento de búfer (mediante la cookie "phonecookie") para sobrescribir una estructura de datos y, por consiguiente, omitir la autenticación. Esto puede explotarse mediante Cross-Site Request Forgery (CSRF) debido a que se puede colocar la cookie en una cabecera HTTP "Accept" en una llamada XMLHttpRequest a lighttpd.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-03-30 CVE Reserved
  • 2019-03-30 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2024-10-23 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Grandstream
Search vendor "Grandstream"
Gac2500 Firmware
Search vendor "Grandstream" for product "Gac2500 Firmware"
<= 1.0.3.35
Search vendor "Grandstream" for product "Gac2500 Firmware" and version " <= 1.0.3.35"
-
Affected
in Grandstream
Search vendor "Grandstream"
Gac2500
Search vendor "Grandstream" for product "Gac2500"
--
Safe
Grandstream
Search vendor "Grandstream"
Gvc3202 Firmware
Search vendor "Grandstream" for product "Gvc3202 Firmware"
< 1.0.3.51
Search vendor "Grandstream" for product "Gvc3202 Firmware" and version " < 1.0.3.51"
-
Affected
in Grandstream
Search vendor "Grandstream"
Gvc3202
Search vendor "Grandstream" for product "Gvc3202"
--
Safe
Grandstream
Search vendor "Grandstream"
Gxv3275 Firmware
Search vendor "Grandstream" for product "Gxv3275 Firmware"
< 1.0.3.219
Search vendor "Grandstream" for product "Gxv3275 Firmware" and version " < 1.0.3.219"
-
Affected
in Grandstream
Search vendor "Grandstream"
Gxv3275
Search vendor "Grandstream" for product "Gxv3275"
--
Safe
Grandstream
Search vendor "Grandstream"
Gxv3240 Firmware
Search vendor "Grandstream" for product "Gxv3240 Firmware"
< 1.0.3.219
Search vendor "Grandstream" for product "Gxv3240 Firmware" and version " < 1.0.3.219"
-
Affected
in Grandstream
Search vendor "Grandstream"
Gxv3240
Search vendor "Grandstream" for product "Gxv3240"
--
Safe
Grandstream
Search vendor "Grandstream"
Gxp2200 Firmware
Search vendor "Grandstream" for product "Gxp2200 Firmware"
<= 1.0.3.27
Search vendor "Grandstream" for product "Gxp2200 Firmware" and version " <= 1.0.3.27"
-
Affected
in Grandstream
Search vendor "Grandstream"
Gxp2200
Search vendor "Grandstream" for product "Gxp2200"
--
Safe