» 2019 » 3월

CVE-2019-10664

Posted on 2019년 3월 31일2019년 4월 1일 by admin

CVE-2019-10664

Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.

Source: CVE-2019-10664

CVE-2019-10657

Posted on 2019년 3월 31일2019년 3월 31일 by admin

CVE-2019-10657

Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.

Source: CVE-2019-10657

CVE-2019-10663

Posted on 2019년 3월 31일2019년 3월 31일 by admin

CVE-2019-10663

Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.

Source: CVE-2019-10663

CVE-2019-10662

Posted on 2019년 3월 31일2019년 3월 31일 by admin

CVE-2019-10662

Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.

Source: CVE-2019-10662

CVE-2019-10661

Posted on 2019년 3월 31일2019년 3월 31일 by admin

CVE-2019-10661

On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password.

Source: CVE-2019-10661

CVE-2019-10659

Posted on 2019년 3월 31일2019년 3월 31일 by admin

CVE-2019-10659

Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.

Source: CVE-2019-10659

CVE-2019-10658

Posted on 2019년 3월 31일2019년 3월 31일 by admin

CVE-2019-10658

Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.

Source: CVE-2019-10658

CVE-2019-10656

Posted on 2019년 3월 31일2019년 3월 31일 by admin

CVE-2019-10656

Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call.

Source: CVE-2019-10656

CVE-2019-10660

Posted on 2019년 3월 31일2019년 3월 31일 by admin

CVE-2019-10660

Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.

Source: CVE-2019-10660

CVE-2019-10655

Posted on 2019년 3월 31일2019년 3월 31일 by admin

CVE-2019-10655

Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.

Source: CVE-2019-10655