Vendor CVEs
Grandstream
All CVEs
62 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-17563 | 0.00 | — | 0.01 | Apr 1, 2019 | A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device's configuration in cleartext. | |||
| CVE-2019-10663 | 0.00 | — | 0.28 | Mar 30, 2019 | Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI. | |||
| CVE-2019-10661 | 0.00 | — | 0.02 | Mar 30, 2019 | On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password. | |||
| CVE-2019-10660 | 0.00 | — | 0.03 | Mar 30, 2019 | Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field. | |||
| CVE-2019-10659 | 0.00 | — | 0.03 | Mar 30, 2019 | Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field. | |||
| CVE-2019-10658 | 0.00 | — | 0.03 | Mar 30, 2019 | Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call. | |||
| CVE-2019-10657 | 0.00 | — | 0.01 | Mar 30, 2019 | Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request. | |||
| CVE-2019-10656 | 0.00 | — | 0.04 | Mar 30, 2019 | Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call. | |||
| CVE-2013-3962 | 0.00 | — | 0.01 | Oct 1, 2013 | Cross-site scripting (XSS) vulnerability in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models before firmware 1.0.4.44, allows remote attackers to inject arbitrary web… | |||
| CVE-2007-5789 | 0.00 | — | 0.02 | Nov 1, 2007 | The Grandstream HT-488 0.1 allows remote attackers to cause a denial of service (device crash) via a flood of fragmented packets to port 5060. | |||
| CVE-2007-5788 | 0.00 | — | 0.02 | Nov 1, 2007 | Buffer overflow in the SIP parser on the Grandstream HT-488 0.1 allows remote attackers to cause a denial of service (device crash) via a crafted SIP INVITE message. | |||
| CVE-2006-5231 | 0.00 | — | 0.02 | Oct 11, 2006 | Grandstream GXP-2000 VoIP Desktop Phone, firmware version 1.1.0.5, allows remote attackers to cause a denial of service (hang or reboot) via a large amount of ASCII data sent to port (1) 5060/UDP, (2) 5062/UDP, (3) 5064/UDP, (4) 5066/UDP, (5) 9876/UDP, or (6) 26789/UDP. |
- CVE-2018-17563Apr 1, 2019risk 0.00cvss —epss 0.01
A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device's configuration in cleartext.
- CVE-2019-10663Mar 30, 2019risk 0.00cvss —epss 0.28
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.
- CVE-2019-10661Mar 30, 2019risk 0.00cvss —epss 0.02
On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password.
- CVE-2019-10660Mar 30, 2019risk 0.00cvss —epss 0.03
Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.
- CVE-2019-10659Mar 30, 2019risk 0.00cvss —epss 0.03
Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.
- CVE-2019-10658Mar 30, 2019risk 0.00cvss —epss 0.03
Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.
- CVE-2019-10657Mar 30, 2019risk 0.00cvss —epss 0.01
Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.
- CVE-2019-10656Mar 30, 2019risk 0.00cvss —epss 0.04
Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call.
- CVE-2013-3962Oct 1, 2013risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models before firmware 1.0.4.44, allows remote attackers to inject arbitrary web…
- CVE-2007-5789Nov 1, 2007risk 0.00cvss —epss 0.02
The Grandstream HT-488 0.1 allows remote attackers to cause a denial of service (device crash) via a flood of fragmented packets to port 5060.
- CVE-2007-5788Nov 1, 2007risk 0.00cvss —epss 0.02
Buffer overflow in the SIP parser on the Grandstream HT-488 0.1 allows remote attackers to cause a denial of service (device crash) via a crafted SIP INVITE message.
- CVE-2006-5231Oct 11, 2006risk 0.00cvss —epss 0.02
Grandstream GXP-2000 VoIP Desktop Phone, firmware version 1.1.0.5, allows remote attackers to cause a denial of service (hang or reboot) via a large amount of ASCII data sent to port (1) 5060/UDP, (2) 5062/UDP, (3) 5064/UDP, (4) 5066/UDP, (5) 9876/UDP, or (6) 26789/UDP.
Page 2 of 2