Is CVE-2019-10655 actively exploited?

CVE-2019-10655 has no public evidence of in-the-wild exploitation as of 2024-11-21.

What is the CVSS score for CVE-2019-10655?

CVE-2019-10655 has a CVSS score of 9.8 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2019-10655?

Patch guidance is available from grandstream security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2019-10655.

Fix CVE-2019-10655 - CRITICAL grandstream gac2500 firmware

Q: Which products are affected by CVE-2019-10655?

5 products: grandstream gac2500 firmware, grandstream gvc3202 firmware, grandstream gxv3275 firmware, grandstream gxv3240 firmware, grandstream gxp2200 firmware.

Description

Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-78 · OS Command Injection CWE-119 · Memory Buffer Errors CWE-352 · Cross-Site Request Forgery

Metadata

Primary Vendor: GRANDSTREAM
Published: 3/30/2019
Last Modified: 11/21/2024
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

grandstream : gac2500_firmwaregrandstream : gvc3202_firmwaregrandstream : gxv3275_firmwaregrandstream : gxv3240_firmwaregrandstream : gxp2200_firmware

Remediation Guidance

Executive Summary

View on NIST NVD