Details of VAR-202009-0280

ID

VAR-202009-0280

CVE

CVE-2020-14021

TITLE

Ozeki NG SMS Gateway Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-011469

DESCRIPTION

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The ASP.net SMS module can be used to read and validate the source code of ASP files. By altering the path, it can be made to read any file on the Operating System, usually with NT AUTHORITY\SYSTEM privileges. The program can convert your incoming emails to SMS and send them to your mobile phone. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc. An attacker could exploit this vulnerability to read any file on the operating system

Trust: 1.71

sources: NVD: CVE-2020-14021 // JVNDB: JVNDB-2020-011469 // VULHUB: VHN-166858

AFFECTED PRODUCTS

vendor:	ozeki	model:	ng sms gateway	scope:	lte	version:	4.17.6	Trust: 1.0
vendor:	ozeki	model:	ng-sms gateway	scope:	eq	version:	-	Trust: 0.8
vendor:	ozeki	model:	ng-sms gateway	scope:	lte	version:	4.17.6 until	Trust: 0.8

sources: JVNDB: JVNDB-2020-011469 // NVD: CVE-2020-14021

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-14021
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-14021
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202009-1245
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-166858
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-14021
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-166858
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-14021
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2020-14021
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-166858 // JVNDB: JVNDB-2020-011469 // CNNVD: CNNVD-202009-1245 // NVD: CVE-2020-14021

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-011469 // NVD: CVE-2020-14021

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1245

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202009-1245

PATCH

title:	Download Ozeki Software Products	url:	http://www.ozeki.hu/index.php?owpn=231	Trust: 0.8
title:	Ozeki NG SMS Gateway Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128915	Trust: 0.6

sources: JVNDB: JVNDB-2020-011469 // CNNVD: CNNVD-202009-1245

EXTERNAL IDS

db:	NVD	id:	CVE-2020-14021	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-011469	Trust: 0.8
db:	CNNVD	id:	CNNVD-202009-1245	Trust: 0.7
db:	VULHUB	id:	VHN-166858	Trust: 0.1

sources: VULHUB: VHN-166858 // JVNDB: JVNDB-2020-011469 // CNNVD: CNNVD-202009-1245 // NVD: CVE-2020-14021

REFERENCES

url:	https://github.com/drunkenshells/disclosures/tree/master/cve-2020-14021-arbitrary%20file%20read-ozeki%20sms%20gateway	Trust: 2.5
url:	https://www.ozeki.hu/index.php?owpn=231	Trust: 1.7
url:	https://www.ozeki.hu/index.php?ow_page_number=1017&downloadaction=email&download_product_id=1&os=windows&dpath=%2fattachments%2f702%2finstallwindows_1590575794_ozeking-sms-gateway_4.17.6.zip&dname=ozeki+ng+sms+gateway+v4.17.6&dsize=+%2817.8+mb%29&platform=windows	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14021	Trust: 1.4
url:	https://www.ozeki.hu/index.php?ow_page_number=1017&downloadaction=email&download_product_id=1&os=windows&dpath=%2fattachments%2f702%2finstallwindows_1590575794_ozeking-sms-gateway_4.17.6.zip&dname=ozeki+ng+sms+gateway+v4.17.6&dsize=+%2817.8+mb%29&platform=windows	Trust: 0.1

sources: VULHUB: VHN-166858 // JVNDB: JVNDB-2020-011469 // CNNVD: CNNVD-202009-1245 // NVD: CVE-2020-14021

SOURCES

db:	VULHUB	id:	VHN-166858
db:	JVNDB	id:	JVNDB-2020-011469
db:	CNNVD	id:	CNNVD-202009-1245
db:	NVD	id:	CVE-2020-14021

LAST UPDATE DATE

2024-11-23T22:47:52.533000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-166858	date:	2020-09-26T00:00:00
db:	JVNDB	id:	JVNDB-2020-011469	date:	2021-04-05T05:48:00
db:	CNNVD	id:	CNNVD-202009-1245	date:	2020-09-27T00:00:00
db:	NVD	id:	CVE-2020-14021	date:	2024-11-21T05:02:22.077

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-166858	date:	2020-09-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-011469	date:	2021-04-05T00:00:00
db:	CNNVD	id:	CNNVD-202009-1245	date:	2020-09-18T00:00:00
db:	NVD	id:	CVE-2020-14021	date:	2020-09-18T18:15:16.207