4 matches found
Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump', 'Description' = %q This module uses a blind SQL injection CVE-2020-572...
Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump
This module uses a blind SQL injection CVE-2020-5724 affecting the Grandstream UCM62xx IP PBX to dump the users table. The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge as part of a challenge and response authentication...
CVE-2020-5724
creationtimestamp| type| source ---|---|--- 2022-02-15 17:41:31+00:00| seen| https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/grandstreamucm62xxsqlaccountguess.rb 2024-10-18 16:52:06+00:00| published-proof-of-concept| https://t.me/CyberSecurityTechnologies/881...
CVE-2020-5724
CVE-2020-5724 affects Grandstream UCM6200/UCM62xx devices prior to firmware 1.0.20.22. The vulnerability is an SQL injection in the HTTP server’s websockify endpoint that can be exploited by an unauthenticated remote attacker via the challenge action with a crafted username, potentially revealing...