Details of VAR-202009-0283

ID

VAR-202009-0283

CVE

CVE-2020-14024

TITLE

Ozeki NG SMS Gateway Cross-site Scripting Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-011457

DESCRIPTION

Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuration, or (4) any GET Parameter in the /default URL of the application. Ozeki NG SMS Gateway Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. The program can convert your incoming emails to SMS and send them to your mobile phone. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2020-14024 // JVNDB: JVNDB-2020-011457 // VULHUB: VHN-166861

AFFECTED PRODUCTS

vendor:	ozeki	model:	ng sms gateway	scope:	lte	version:	4.17.6	Trust: 1.0
vendor:	ozeki	model:	ng-sms gateway	scope:	eq	version:	-	Trust: 0.8
vendor:	ozeki	model:	ng-sms gateway	scope:	lte	version:	4.17.6 until	Trust: 0.8

sources: JVNDB: JVNDB-2020-011457 // NVD: CVE-2020-14024

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-14024
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-14024
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202009-1327
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-166861
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-14024
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-166861
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-14024
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2020-14024
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-166861 // JVNDB: JVNDB-2020-011457 // CNNVD: CNNVD-202009-1327 // NVD: CVE-2020-14024

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-166861 // JVNDB: JVNDB-2020-011457 // NVD: CVE-2020-14024

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1327

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202009-1327

PATCH

title:	Download Ozeki Software Products	url:	http://www.ozeki.hu/index.php?owpn=231	Trust: 0.8
title:	Ozeki NG SMS Gateway Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=129296	Trust: 0.6

sources: JVNDB: JVNDB-2020-011457 // CNNVD: CNNVD-202009-1327

EXTERNAL IDS

db:	NVD	id:	CVE-2020-14024	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-011457	Trust: 0.8
db:	CNNVD	id:	CNNVD-202009-1327	Trust: 0.7
db:	CNVD	id:	CNVD-2020-53529	Trust: 0.1
db:	VULHUB	id:	VHN-166861	Trust: 0.1

sources: VULHUB: VHN-166861 // JVNDB: JVNDB-2020-011457 // CNNVD: CNNVD-202009-1327 // NVD: CVE-2020-14024

REFERENCES

url:	https://github.com/drunkenshells/disclosures/tree/master/cve-2020-14024-multiple%20xss-ozeki%20sms%20gateway	Trust: 2.5
url:	https://www.ozeki.hu/index.php?owpn=231	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14024	Trust: 1.4

sources: VULHUB: VHN-166861 // JVNDB: JVNDB-2020-011457 // CNNVD: CNNVD-202009-1327 // NVD: CVE-2020-14024

SOURCES

db:	VULHUB	id:	VHN-166861
db:	JVNDB	id:	JVNDB-2020-011457
db:	CNNVD	id:	CNNVD-202009-1327
db:	NVD	id:	CVE-2020-14024

LAST UPDATE DATE

2024-11-23T22:58:09.524000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-166861	date:	2020-09-26T00:00:00
db:	JVNDB	id:	JVNDB-2020-011457	date:	2021-04-02T07:53:00
db:	CNNVD	id:	CNNVD-202009-1327	date:	2020-09-27T00:00:00
db:	NVD	id:	CVE-2020-14024	date:	2024-11-21T05:02:22.507

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-166861	date:	2020-09-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-011457	date:	2021-04-02T00:00:00
db:	CNNVD	id:	CNNVD-202009-1327	date:	2020-09-22T00:00:00
db:	NVD	id:	CVE-2020-14024	date:	2020-09-22T18:15:23.543