CVE-2020-5738

Severity CVSS v4.0:
Pending analysis
Type:
CWE-59 Link Following
Publication date:
14/04/2020
Last modified:
14/04/2020

Description

Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command execution when an attacker uploads a specially crafted tar file to the HTTP /cgi-bin/upload_vpntar interface.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:grandstream:gxp1610_firmware:*:*:*:*:*:*:*:* 1.0.4.152 (including)
cpe:2.3:h:grandstream:gxp1610:-:*:*:*:*:*:*:*
cpe:2.3:o:grandstream:gxp1615_firmware:*:*:*:*:*:*:*:* 1.0.4.152 (including)
cpe:2.3:h:grandstream:gxp1615:-:*:*:*:*:*:*:*
cpe:2.3:o:grandstream:gxp1620_firmware:*:*:*:*:*:*:*:* 1.0.4.152 (including)
cpe:2.3:h:grandstream:gxp1620:-:*:*:*:*:*:*:*
cpe:2.3:o:grandstream:gxp1625_firmware:*:*:*:*:*:*:*:* 1.0.4.152 (including)
cpe:2.3:h:grandstream:gxp1625:-:*:*:*:*:*:*:*
cpe:2.3:o:grandstream:gxp1628_firmware:*:*:*:*:*:*:*:* 1.0.4.152 (including)
cpe:2.3:h:grandstream:gxp1628:-:*:*:*:*:*:*:*
cpe:2.3:o:grandstream:gxp1630_firmware:*:*:*:*:*:*:*:* 1.0.4.152 (including)
cpe:2.3:h:grandstream:gxp1630:-:*:*:*:*:*:*:*


References to Advisories, Solutions, and Tools