7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
50.6%
The Grandsteam GXV3611_HD is an IP network camera used for surveillance and security. The Grandsteam GXV3611_HD is vulnerable to a SQL injection attack.
CWE-89**: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) -**CVE-2015-2866
The Grandstream GXV3611_HD camera with firmware of 1.0.3.6 or before does not correctly perform input validation on the username
field of the telnet login. An attacker may exploit this weakness to execute a SQL injection attack on the camera’s configuration.
A remote unauthenticated attacker may be able to perform a SQL injection to view or modify the configuration of the device.
Update the firmware
Grandstream has released firmware 1.0.3.9 beta to address this issue. Consider updating your camera’s firmware as soon as possible.
253708
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: June 30, 2015
Affected
We have not received a statement from the vendor.
According to the vendor, this issue has been officially resolved in the latest beta firmware (version 1.0.3.9 beta)
Group | Score | Vector |
---|---|---|
Base | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:N |
Temporal | 5 | E:POC/RL:OF/RC:C |
Environmental | 3.8 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
<http://www.grandstream.com/support/firmware>
Thanks to the Living Lab at IUPUI for reporting this vulnerability to us.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2015-2866 |
---|---|
Date Public: | 2015-07-07 Date First Published: |