Published: 2020-09-22

Description:
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuration, or (4) any GET Parameter in the /default URL of the application.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’))

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore

4.3/10

2.9/10

8.6/10

Exploit range
Attack complexity
Authentication

Remote

Medium

No required

Confidentiality impact
Integrity impact
Availability impact

None

Partial

None

 References:

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-14024-Multiple%20XSS-Ozeki%20SMS%20Gateway

https://www.ozeki.hu/index.php?owpn=231

closedb();
?>


Copyright 2020, cxsecurity.com

 



Source link