CVE-2020-5725

Summary

The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the login action with a crafted username and, through the use of timing attacks, can discover user passwords.

Affected Software

VendorProductVersion RangeStatus
n/aGrandstream UCM6200 series1.0.20.20 and belowaffected

Weaknesses

  • CWE-89: SQL Injection (CWE-89)

ADP Enrichment

CVE Program Container

Additional References

References