Grandstream UCM62xx IP PBX sendPasswordEmail Remote Code Execution Exploit

This Metasploit module exploits an unauthenticated SQL injection vulnerability and a command injection vulnerability affecting the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an unauthenticated remote attacker to execute commands as root. This module requires Metasploi...

CVE-2020-5722

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions befo...

Grandstream UCM6204 Command Injection Vulnerability

The Grandstream UCM6204 is an IP PBX Private Branch eXchange device from Grandstream. A security vulnerability exists in the Grandstream UCM6204 versions prior to 1.0.19.20. An attacker can exploit the vulnerability to execute illegal commands...

Grandstream UCM6204 SQL Injection Vulnerability

The Grandstream UCM6204 is an IP PBX Private Branch eXchange device from Grandstream. A SQL injection vulnerability exists in the Grandstream UCM6204 prior to version 1.0.19.20, which arises from a database-based application that lacks validation of externally entered SQL statements. An attacker...

CVE-2019-10663

Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI...

PT-2019-11975 · Grandstream · Grandstream Ucm6204

Name of the Vulnerable Software and Affected Versions: Grandstream UCM6204 version 1.0.19.20 and earlier Description: The issue allows remote authenticated users to execute arbitrary code via shell metacharacters in the file-backup parameter to the "/cgi" API endpoint. Recommendations: For...