Sign-up

ID

VAR-201903-1405


CVE

CVE-2019-10662


TITLE

Grandstream UCM6204 Command injection vulnerability in devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-003014

DESCRIPTION

Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI. Grandstream UCM6204 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Grandstream UCM6204 is an IP PBX (Private Branch eXchange) device from Grandstream. There are security vulnerabilities in Grandstream UCM6204 versions prior to 1.0.19.20. An attacker could use this vulnerability to execute an illegal command

Trust: 2.25

sources: NVD: CVE-2019-10662 // JVNDB: JVNDB-2019-003014 // CNVD: CNVD-2019-42874 // VULMON: CVE-2019-10662

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-42874

AFFECTED PRODUCTS

vendor:grandstreammodel:ucm6204scope:ltversion:1.0.19.20

Trust: 2.4

sources: CNVD: CNVD-2019-42874 // JVNDB: JVNDB-2019-003014 // NVD: CVE-2019-10662

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10662
value: HIGH

Trust: 1.0

NVD: CVE-2019-10662
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-42874
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201903-1226
value: HIGH

Trust: 0.6

VULMON: CVE-2019-10662
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-10662
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-42874
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-10662
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-10662
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-42874 // VULMON: CVE-2019-10662 // JVNDB: JVNDB-2019-003014 // CNNVD: CNNVD-201903-1226 // NVD: CVE-2019-10662

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:CWE-77

Trust: 0.8

sources: JVNDB: JVNDB-2019-003014 // NVD: CVE-2019-10662

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-1226

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201903-1226

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003014

PATCH
title:Top Pageurl:http://www.grandstream.com/
Trust: 0.8
title:Patch for Grandstream UCM6204 command injection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/192499
Trust: 0.6
title:Grandstream UCM6204 Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90910
Trust: 0.6
title:Grandstream Exploitsurl:https://github.com/scarvell/grandstream_exploits 
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-42874 // 
            
            
            
            VULMON: CVE-2019-10662 // 
            
            
            
            JVNDB: JVNDB-2019-003014 // 
            
            
            
            CNNVD: CNNVD-201903-1226

EXTERNAL IDS
db:NVDid:CVE-2019-10662
Trust: 3.1
db:JVNDBid:JVNDB-2019-003014
Trust: 0.8
db:CNVDid:CNVD-2019-42874
Trust: 0.6
db:CNNVDid:CNNVD-201903-1226
Trust: 0.6
db:PACKETSTORMid:165708
Trust: 0.1
db:VULMONid:CVE-2019-10662
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-42874 // 
            
            
            
            VULMON: CVE-2019-10662 // 
            
            
            
            JVNDB: JVNDB-2019-003014 // 
            
            
            
            CNNVD: CNNVD-201903-1226 // 
            
            
            
            NVD: CVE-2019-10662

REFERENCES
url:https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1
Trust: 1.7
url:https://github.com/scarvell/grandstream_exploits
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-10662
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10662
Trust: 0.8
url:https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920
Trust: 0.8
url:https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl;=1
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/78.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://packetstormsecurity.com/files/165708/grandstream-ucm62xx-ip-pbx-sendpasswordemail-remote-code-execution.html
Trust: 0.1
url:https://www.rapid7.com/db/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce/
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-42874 // 
            
            
            
            VULMON: CVE-2019-10662 // 
            
            
            
            JVNDB: JVNDB-2019-003014 // 
            
            
            
            CNNVD: CNNVD-201903-1226 // 
            
            
            
            NVD: CVE-2019-10662

SOURCES
db:CNVDid:CNVD-2019-42874
db:VULMONid:CVE-2019-10662
db:JVNDBid:JVNDB-2019-003014
db:CNNVDid:CNNVD-201903-1226
db:NVDid:CVE-2019-10662

LAST UPDATE DATE
2024-11-23T22:25:58.472000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-42874date:2019-11-29T00:00:00
db:VULMONid:CVE-2019-10662date:2023-03-01T00:00:00
db:JVNDBid:JVNDB-2019-003014date:2019-05-07T00:00:00
db:CNNVDid:CNNVD-201903-1226date:2020-10-28T00:00:00
db:NVDid:CVE-2019-10662date:2024-11-21T04:19:42.180

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-42874date:2019-11-29T00:00:00
db:VULMONid:CVE-2019-10662date:2019-03-30T00:00:00
db:JVNDBid:JVNDB-2019-003014date:2019-05-07T00:00:00
db:CNNVDid:CNNVD-201903-1226date:2019-03-30T00:00:00
db:NVDid:CVE-2019-10662date:2019-03-30T17:29:00.683