CVE-2020-5722

Name of the Vulnerable Software and Affected Versions Grandstream UCM6200 series versions prior to 1.0.19.20 Grandstream UCM6200 series versions prior to 1.0.20.17

Description The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. This issue is related to errors in input data validation. An attacker can exploit this to execute shell commands as root or inject HTML in password recovery emails.

Recommendations For versions prior to 1.0.19.20, update to version 1.0.19.20 or later to resolve the issue. For versions prior to 1.0.20.17, update to version 1.0.20.17 or later to prevent HTML injection in password recovery emails. As a temporary workaround, consider restricting access to the HTTP interface until a patch is applied.