Lucene search

VulnCheckCVELIST:CVE-2024-0840

HistoryApr 29, 2024 - 6:42 p.m.

CVE-2024-0840 Grandstream UCM Series IP PBX HTTP Parameter Injection

2024-04-2918:42:57

CWE-141

VulnCheck

www.cve.org

grandstream

ip pbx

http interface

parameter injection

remote attack

arbitrary code

default credentials

ucm6202

ucm6204

ucm6208

ucm6510

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

Percentile

9.0%

JSON

The Grandstream UCM Series IP PBX before firmware version 1.0.20.52 is affected by a parameter injection vulnerability in the HTTP interface. A remote and authenticated attacker can execute arbitrary code by sending a crafted HTTP request. Authentication may be possible using a default user and password. Affected models are the UCM6202, UCM6204, UCM6208, and UCM6510.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "UCM Series",
    "vendor": "Grandstream",
    "versions": [
      {
        "lessThan": "<1.0.20.52",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

vulncheck.com/advisories/grand-stream-param-injection

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-0840