8.1

CVE-2016-1518

EPSS 0.85%
Veröffentlicht 21.04.2017 20:59:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle cret@cert.org
CVE-Watchlists
Login
Unerledigt
Login

The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Grandstream ≫ Wave SwPlatformandroid Version <= 1.0.1.26

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.85%	0.728

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

http://packetstormsecurity.com/files/136280/Grandstream-Wave-1.0.1.26-Man-In-The-Middle.html

Third Party Advisory

VDB Entry

http://www.securityfocus.com/archive/1/537818/100/0/threaded

https://rt-solutions.de/wp-content/uploads/2016/04/CVE-2016-1518-insecure-provisioning.pdf

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2016-1518

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-1518

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-1518

EUVD