CVE-2020-5724: SQL Injection
First published: Mon Mar 30 2020(Updated: )
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords.
Credit: vulnreport@tenable.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grandstream Ucm6202 Firmware | <1.0.20.22 | |
| Grandstream Ucm6202 | ||
| Grandstream Ucm6204 Firmware | <1.0.20.22 | |
| Grandstream UCM6204 | ||
| Grandstream Ucm6208 Firmware | <1.0.20.22 | |
| Grandstream Ucm6208 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-5724.
What is the severity of CVE-2020-5724?
The severity of CVE-2020-5724 is high, with a CVSS score of 7.5.
Which software versions are affected by CVE-2020-5724?
The Grandstream UCM6200 series firmware versions up to (but not including) 1.0.20.22 are affected by CVE-2020-5724.
How does the vulnerability in CVE-2020-5724 work?
The vulnerability in CVE-2020-5724 allows a remote unauthenticated attacker to perform SQL injection via the HTTP server's websockify endpoint, potentially compromising user passwords.
Is there a fix available for CVE-2020-5724?
Yes, upgrading to version 1.0.20.22 or later of the Grandstream UCM6200 series firmware addresses the vulnerability in CVE-2020-5724.