CVE-2018-17564

EUVD-2018-9317
A Malformed Input String to /cgi-bin/delete_CA on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to delete configuration parameters and gain admin access to the device.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
Affected Products (NVD)
VendorProductVersion
grandstreamgxp1610_firmware
1.0.4.128
grandstreamgxp1615_firmware
1.0.4.128
grandstreamgxp1620_firmware
1.0.4.128
grandstreamgxp1625_firmware
1.0.4.128
grandstreamgxp1628_firmware
1.0.4.128
grandstreamgxp1630_firmware
1.0.4.128
𝑥
= Vulnerable software versions
References
http://grandstream.com/support/firmware
https://iridiumxor.wordpress.com/2019/01/03/three-simple-cves-for-a-good-voip-phone/
http://grandstream.com/support/firmware
https://iridiumxor.wordpress.com/2019/01/03/three-simple-cves-for-a-good-voip-phone/