CVE-2016-1520 - The Grandstream Wave app 1.0.1.26 and earlier for Android does not use HTTPS when retrieving update

CVE-2016-1520

Summary

The Grandstream Wave app 1.0.1.26 and earlier for Android does not use HTTPS when retrieving update information, which might allow man-in-the-middle attackers to execute arbitrary code via a crafted application.

References

Vulnerable Configurations

cpe:2.3:a:grandstream:wave:1.0.1.26:*:*:*:*:android:*:*
cpe:2.3:a:grandstream:wave:1.0.1.26:*:*:*:*:android:*:*

CVSS

Base:	6.8 (as of 09-10-2018 - 19:59)
Impact:
Exploitability:

CWE

CWE-254

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bugtraq	20160317 CVE-2016-1520: GrandStream Android VoIP App Update Redirection
misc	http://packetstormsecurity.com/files/136291/Grandstream-Wave-1.0.1.26-Update-Redirection.html https://rt-solutions.de/wp-content/uploads/2016/04/CVE-2016-1520-app-update-redirection.pdf

Last major update

09-10-2018 - 19:59

Published

21-04-2017 - 20:59

Last modified

09-10-2018 - 19:59