The Grandstream UCM6200 series prior to 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the login action with a crafted username and, through the use of timing attacks, can discover user passwords.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
grandstream ucm6202_firmware |
||
grandstream ucm6204_firmware |
||
grandstream ucm6208_firmware |