CVE-2016-1518

Published: Apr 21, 2017Modified: May 13, 2026

8.1

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/.

Affected (1)

Products: Grandstream: Wave

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Grandstream Wave	Up to 1.0.1.26

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

http://packetstormsecurity.com/files/136280/Grandstream-Wave-1.0.1.26-Man-In-The-Middle.html

Source: cret@cert.org

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/archive/1/537818/100/0/threaded

Source: cret@cert.org

https://rt-solutions.de/wp-content/uploads/2016/04/CVE-2016-1518-insecure-provisioning.pdf

Source: cret@cert.org

Third Party Advisory

http://packetstormsecurity.com/files/136280/Grandstream-Wave-1.0.1.26-Man-In-The-Middle.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/archive/1/537818/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

https://rt-solutions.de/wp-content/uploads/2016/04/CVE-2016-1518-insecure-provisioning.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.