CVE-2019-10660

HIGH

Grandstream GXV3611IR_HD < 1.0.3.23 - Authenticated OS Command Injection via logserver Parameter

Title source: llm

Description

Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1

Third Party Advisory x_refsource_misc

https://github.com/scarvell/grandstream_exploits

View Writeup ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0267

EPSS Percentile 83.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

grandstream/gxv3611ir_hd_firmware < 1.0.3.23

Published Mar 30, 2019

Tracked Since Feb 18, 2026