CVE-2020-5757
Summary
| CVE | CVE-2020-5757 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-07-17 21:15:00 UTC |
| Updated | 2020-07-23 14:33:00 UTC |
| Description | Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API. |
Risk And Classification
Problem Types: CWE-78
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Grandstream | Ucm6202 | - | All | All | All |
| Hardware | Grandstream | Ucm6202 | - | All | All | All |
| Operating System | Grandstream | Ucm6202 Firmware | All | All | All | All |
| Hardware | Grandstream | Ucm6204 | - | All | All | All |
| Hardware | Grandstream | Ucm6204 | - | All | All | All |
| Operating System | Grandstream | Ucm6204 Firmware | All | All | All | All |
| Hardware | Grandstream | Ucm6208 | - | All | All | All |
| Hardware | Grandstream | Ucm6208 | - | All | All | All |
| Operating System | Grandstream | Ucm6208 Firmware | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2020-5757 | Tenable® | https://www.tenable.com/cve/CVE-2020-5757 | www.tenable.com | Third Party Advisory |
| SQL Injection in SRS Simple Hits Counter Plugin for WordPress - Research Advisory | Tenable® | CONFIRM | www.tenable.com | Not Applicable |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.