CVE-2020-5722
Severity CVSS v4.0:
Pending analysis
Type:
CWE-89
SQL Injection
Publication date:
23/03/2020
Last modified:
19/03/2025
Description
The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
10.00
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:grandstream:ucm6200_firmware:*:*:*:*:*:*:*:* | 1.0.19.20 (excluding) | |
| cpe:2.3:h:grandstream:ucm6200:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html
- http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html
- https://www.tenable.com/security/research/tra-2020-15
- http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html
- http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html
- https://www.tenable.com/security/research/tra-2020-15