Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2020-5724

Published: 30/03/2020 Updated: 30/03/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 540
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Ucm6202 Firmware

Vulnerability Summary

The Grandstream UCM6200 series prior to 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

grandstream ucm6202_firmware

grandstream ucm6204_firmware

grandstream ucm6208_firmware

Exploits

Exploit DB: Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump
This module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx IP PBX to dump the users table The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge (as part of a challenge and response authentication scheme) The injecti ...

Metasploit Modules

Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump

This module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx IP PBX to dump the users table. The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge (as part of a challenge and response authentication scheme). The injection is blind, but the server response contains a different status code if the query was successful. As such, the attacker can guess the contents of the user database. Most helpfully, the passwords are stored in cleartext within the user table (CVE-2020-5723). This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.

msf > use auxiliary/gather/grandstream_ucm62xx_sql_account_guess
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > show actions
    ...actions...
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > set ACTION < action-name >
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > show options
    ...show and set options...
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > run

References

CWE-89https://www.tenable.com/security/research/tra-2020-17https://nvd.nist.govhttps://www.rapid7.com/db/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook