Overview
The Grandsteam GXV3611_HD is an IP network camera used for surveillance and security. The Grandsteam GXV3611_HD is vulnerable to a SQL injection attack.
Description
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-2866 The Grandstream GXV3611_HD camera with firmware of 1.0.3.6 or before does not correctly perform input validation on the username field of the telnet login. An attacker may exploit this weakness to execute a SQL injection attack on the camera's configuration. |
Impact
A remote unauthenticated attacker may be able to perform a SQL injection to view or modify the configuration of the device. |
Solution
Update the firmware |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:N |
| Temporal | 5 | E:POC/RL:OF/RC:C |
| Environmental | 3.8 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to the Living Lab at IUPUI for reporting this vulnerability to us.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | CVE-2015-2866 |
| Date Public: | 2015-07-07 |
| Date First Published: | 2015-07-07 |
| Date Last Updated: | 2015-07-07 18:33 UTC |
| Document Revision: | 53 |