CVE-2020-5724

Name of the Vulnerable Software and Affected Versions Grandstream UCM6200 series versions prior to 1.0.20.22

Description The issue allows a remote unauthenticated attacker to perform an SQL injection via the HTTP server's websockify endpoint. By invoking the challenge action with a crafted username, an attacker can discover user passwords.

Recommendations For Grandstream UCM6200 series versions prior to 1.0.20.22, update to version 1.0.20.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the websockify endpoint until a patch is applied. Avoid using crafted usernames in the challenge action to minimize the risk of exploitation.