Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2020-5723

Published: 30/03/2020 Updated: 01/04/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 540
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Grandstream

Vulnerability Summary

The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an malicious user to retrieve all passwords and possibly gain elevated privileges.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

grandstream ucm6202_firmware

grandstream ucm6204_firmware

grandstream ucm6208_firmware

Exploits

Exploit DB: Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump
This module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx IP PBX to dump the users table The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge (as part of a challenge and response authentication scheme) The injecti ...

Metasploit Modules

Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump

This module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx IP PBX to dump the users table. The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge (as part of a challenge and response authentication scheme). The injection is blind, but the server response contains a different status code if the query was successful. As such, the attacker can guess the contents of the user database. Most helpfully, the passwords are stored in cleartext within the user table (CVE-2020-5723). This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.

msf > use auxiliary/gather/grandstream_ucm62xx_sql_account_guess
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > show actions
    ...actions...
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > set ACTION < action-name >
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > show options
    ...show and set options...
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > run

References

CWE-312https://www.tenable.com/security/research/tra-2020-17https://nvd.nist.govhttps://www.rapid7.com/db/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
client sideCVE-2023-31889template injectionCVE-2024-4304CVE-2006-4304CVE-2024-33272type confusionCVE-2024-21345CVE-2024-33271
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook