Details of VAR-202103-0194

ID

VAR-202103-0194

CVE

CVE-2020-25218

TITLE

Grandstream GRP261x VoIP phone Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-016409

DESCRIPTION

Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allow Authentication Bypass in its administrative web interface. Grandstream GRP261x VoIP phone Contains an authentication vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Grandstream GRP261x VoIP phone is an IP phone of American Grandstream company. Carrier-grade IP phones designed for large-scale deployment. No detailed vulnerability details are currently provided

Trust: 2.25

sources: NVD: CVE-2020-25218 // JVNDB: JVNDB-2020-016409 // CNVD: CNVD-2021-28363 // VULMON: CVE-2020-25218

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-28363

AFFECTED PRODUCTS

vendor:	grandstream	model:	grp2615	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2612	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2616	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2614	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2612w	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2612p	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2613	scope:	eq	version:	1.0.3.6	Trust: 1.0
vendor:	grandstream	model:	grp2612	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2612w	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2615	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2613	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2614	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2612p	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp2616	scope:	-	version:	-	Trust: 0.8
vendor:	grandstream	model:	grp261x voip phone running	scope:	eq	version:	1.0.3.6	Trust: 0.6

sources: CNVD: CNVD-2021-28363 // JVNDB: JVNDB-2020-016409 // NVD: CVE-2020-25218

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-25218
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2020-25218
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2021-28363
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202103-1623
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2020-25218
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-25218
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-28363
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-25218
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-25218
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-28363 // VULMON: CVE-2020-25218 // JVNDB: JVNDB-2020-016409 // CNNVD: CNNVD-202103-1623 // NVD: CVE-2020-25218

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	Improper authentication (CWE-287) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-016409 // NVD: CVE-2020-25218

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-1623

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202103-1623

PATCH

title:	Important Firmware News (HD IP Phones)	url:	http://grandstream.com/support/firmware	Trust: 0.8
title:	Patch for Grandstream GRP261x VoIP phone running firmware authorization issue vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/258146	Trust: 0.6
title:	Grandstream GRP261x VoIP phone Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=146038	Trust: 0.6

sources: CNVD: CNVD-2021-28363 // JVNDB: JVNDB-2020-016409 // CNNVD: CNNVD-202103-1623

EXTERNAL IDS

db:	NVD	id:	CVE-2020-25218	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-016409	Trust: 0.8
db:	CNVD	id:	CNVD-2021-28363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202103-1623	Trust: 0.6
db:	VULMON	id:	CVE-2020-25218	Trust: 0.1

sources: CNVD: CNVD-2021-28363 // VULMON: CVE-2020-25218 // JVNDB: JVNDB-2020-016409 // CNNVD: CNNVD-202103-1623 // NVD: CVE-2020-25218

REFERENCES

url:	https://github.com/fireeye/vulnerability-disclosures/blob/master/feye-2021-0002/feye-2021-0002.md	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25218	Trust: 2.0
url:	https://cwe.mitre.org/data/definitions/306.html	Trust: 1.6
url:	https://cwe.mitre.org/data/definitions/287.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-28363 // VULMON: CVE-2020-25218 // JVNDB: JVNDB-2020-016409 // CNNVD: CNNVD-202103-1623 // NVD: CVE-2020-25218

SOURCES

db:	CNVD	id:	CNVD-2021-28363
db:	VULMON	id:	CVE-2020-25218
db:	JVNDB	id:	JVNDB-2020-016409
db:	CNNVD	id:	CNNVD-202103-1623
db:	NVD	id:	CVE-2020-25218

LAST UPDATE DATE

2024-11-23T21:58:47.053000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-28363	date:	2021-04-15T00:00:00
db:	VULMON	id:	CVE-2020-25218	date:	2021-03-31T00:00:00
db:	JVNDB	id:	JVNDB-2020-016409	date:	2021-12-01T08:40:00
db:	CNNVD	id:	CNNVD-202103-1623	date:	2022-07-11T00:00:00
db:	NVD	id:	CVE-2020-25218	date:	2024-11-21T05:17:41.217

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-28363	date:	2021-04-15T00:00:00
db:	VULMON	id:	CVE-2020-25218	date:	2021-03-29T00:00:00
db:	JVNDB	id:	JVNDB-2020-016409	date:	2021-12-01T00:00:00
db:	CNNVD	id:	CNNVD-202103-1623	date:	2021-03-29T00:00:00
db:	NVD	id:	CVE-2020-25218	date:	2021-03-29T17:15:14.990