This page lists publicly disclosed CVE vulnerabilities affecting grandstream ht802_firmware (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2020-5763 | Grandstream HT800 series firmware version 1.0.17.5 and below contain a backdoor in the SSH service. An authenticated remote attacker can obtain a root shell by correctly answering a challenge prompt. | [email protected] | 8.8 | 1.62% | 2020-07-29 | 2024-11-21 |
| CVE-2020-5762 | Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to a denial of service attack against the TR-069 service. An unauthenticated remote attacker can stop the service due to a NULL pointer dereference in the TR-069 service. This condition is triggered due to mishandling of the HTTP Authentication field. | [email protected] | 7.5 | 4.64% | 2020-07-29 | 2024-11-21 |
| CVE-2020-5761 | Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to CPU exhaustion due to an infinite loop in the TR-069 service. Unauthenticated remote attackers can trigger this case by sending a one character TCP message to the TR-069 service. | [email protected] | 7.5 | 3.89% | 2020-07-29 | 2024-11-21 |
| CVE-2020-5760 | Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to an OS command injection vulnerability. Unauthenticated remote attackers can execute arbitrary commands as root by crafting a special configuration file and sending a crafted SIP message. | [email protected] | 7.8 | 5.05% | 2020-07-29 | 2024-11-21 |
| CVE-2017-16565 | Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests. | [email protected] | 8.8 | 0.14% | 2017-11-06 | 2026-05-13 |
| CVE-2017-16564 | Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on Vonage (Grandstream) HT802 devices allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148). | [email protected] | 5.4 | 0.15% | 2017-11-06 | 2026-05-13 |
| CVE-2017-16563 | Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vonage (Grandstream) HT802 devices allows attackers to modify settings, related to cgi-bin/update. | [email protected] | 8.0 | 0.14% | 2017-11-06 | 2026-05-13 |