Sign-up

ID

VAR-202009-0281


CVE

CVE-2020-14022


TITLE

Ozeki NG SMS Gateway  Unlimited Upload Vulnerability in File Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-011455

DESCRIPTION

Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Starter" module) within the application. Ozeki NG SMS Gateway Is vulnerable to an unlimited upload of dangerous types of files.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Ozeki NG SMS Gateway (Ozeki NG SMS Gateway) is a software from serials that allows you to access mobile networks through your computer. The program can convert your incoming emails to SMS and send them to your mobile phone. Ozeki NG SMS Gateway is very reliable and operates 24 hours a day, 7 days a week. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc. Ozeki NG SMS Gateway versions 4.17.1 to 4.17.6 have security vulnerabilities. This vulnerability stems from the fact that the file type is not verified when uploading contact lists in batches

Trust: 1.71

sources: NVD: CVE-2020-14022 // JVNDB: JVNDB-2020-011455 // VULHUB: VHN-166859

AFFECTED PRODUCTS

vendor:ozekimodel:ng sms gatewayscope:lteversion:4.17.6

Trust: 1.0

vendor:ozekimodel:ng-sms gatewayscope:eqversion: -

Trust: 0.8

vendor:ozekimodel:ng-sms gatewayscope:eqversion:4.17.1 to 4.17.6

Trust: 0.8

sources: JVNDB: JVNDB-2020-011455 // NVD: CVE-2020-14022

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-14022
value: HIGH

Trust: 1.0

NVD: CVE-2020-14022
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202009-1322
value: HIGH

Trust: 0.6

VULHUB: VHN-166859
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-14022
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-166859
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-14022
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2020-14022
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-166859 // JVNDB: JVNDB-2020-011455 // CNNVD: CNNVD-202009-1322 // NVD: CVE-2020-14022

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.1

problemtype:Unlimited upload of dangerous types of files (CWE-434) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-166859 // JVNDB: JVNDB-2020-011455 // NVD: CVE-2020-14022

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1322

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202009-1322

PATCH

title:Download Ozeki Software Productsurl:http://www.ozeki.hu/index.php?owpn=231

Trust: 0.8

title:Ozeki NG SMS Gateway Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=129292

Trust: 0.6

sources: JVNDB: JVNDB-2020-011455 // CNNVD: CNNVD-202009-1322

EXTERNAL IDS

db:NVDid:CVE-2020-14022

Trust: 2.5

db:JVNDBid:JVNDB-2020-011455

Trust: 0.8

db:CNNVDid:CNNVD-202009-1322

Trust: 0.7

db:VULHUBid:VHN-166859

Trust: 0.1

sources: VULHUB: VHN-166859 // JVNDB: JVNDB-2020-011455 // CNNVD: CNNVD-202009-1322 // NVD: CVE-2020-14022

REFERENCES

url:https://github.com/drunkenshells/disclosures/tree/master/cve-2020-14022-dangerous%20file%20upload-ozeki%20sms%20gateway

Trust: 2.5

url:https://www.ozeki.hu/index.php?owpn=231

Trust: 1.7

url:https://www.ozeki.hu/index.php?ow_page_number=1017&downloadaction=email&download_product_id=1&os=windows&dpath=%2fattachments%2f702%2finstallwindows_1590575794_ozeking-sms-gateway_4.17.6.zip&dname=ozeki+ng+sms+gateway+v4.17.6&dsize=+%2817.8+mb%29&platform=windows

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-14022

Trust: 1.4

url:https://www.ozeki.hu/index.php?ow_page_number=1017&downloadaction=email&download_product_id=1&os=windows&dpath=%2fattachments%2f702%2finstallwindows_1590575794_ozeking-sms-gateway_4.17.6.zip&dname=ozeki+ng+sms+gateway+v4.17.6&dsize=+%2817.8+mb%29&platform=windows

Trust: 0.1

sources: VULHUB: VHN-166859 // JVNDB: JVNDB-2020-011455 // CNNVD: CNNVD-202009-1322 // NVD: CVE-2020-14022

SOURCES

db:VULHUBid:VHN-166859
db:JVNDBid:JVNDB-2020-011455
db:CNNVDid:CNNVD-202009-1322
db:NVDid:CVE-2020-14022

LAST UPDATE DATE

2024-11-23T21:59:02.653000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-166859date:2020-09-26T00:00:00
db:JVNDBid:JVNDB-2020-011455date:2021-04-02T07:53:00
db:CNNVDid:CNNVD-202009-1322date:2020-10-22T00:00:00
db:NVDid:CVE-2020-14022date:2024-11-21T05:02:22.217

SOURCES RELEASE DATE

db:VULHUBid:VHN-166859date:2020-09-22T00:00:00
db:JVNDBid:JVNDB-2020-011455date:2021-04-02T00:00:00
db:CNNVDid:CNNVD-202009-1322date:2020-09-22T00:00:00
db:NVDid:CVE-2020-14022date:2020-09-22T18:15:23.417