Vulnerability Note VU#253708
Grandsteam GXV3611_HD camera is vulnerable to SQL injection
The Grandsteam GXV3611_HD is an IP network camera used for surveillance and security. The Grandsteam GXV3611_HD is vulnerable to a SQL injection attack.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-2866
The Grandstream GXV3611_HD camera with firmware of 126.96.36.199 or before does not correctly perform input validation on the username field of the telnet login. An attacker may exploit this weakness to execute a SQL injection attack on the camera's configuration.
A remote unauthenticated attacker may be able to perform a SQL injection to view or modify the configuration of the device.
Update the firmware
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Grandstream||Affected||-||30 Jun 2015|
CVSS Metrics (Learn More)
Thanks to the Living Lab at IUPUI for reporting this vulnerability to us.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-2866
- Date Public: 07 Jul 2015
- Date First Published: 07 Jul 2015
- Date Last Updated: 07 Jul 2015
- Document Revision: 51
If you have feedback, comments, or additional information about this vulnerability, please send us email.