Details of VAR-202009-0287

ID

VAR-202009-0287

CVE

CVE-2020-14028

TITLE

Ozeki NG SMS Gateway Traversal Vulnerability in Japan

Trust: 0.8

sources: JVNDB: JVNDB-2020-011461

DESCRIPTION

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. By leveraging a path traversal vulnerability in the Autoreply module's Script Name, an attacker may write to or overwrite arbitrary files, with arbitrary content, usually with NT AUTHORITY\SYSTEM privileges. Ozeki NG SMS Gateway Contains a path traversal vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. The program can convert your incoming emails to SMS and send them to your mobile phone. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc

Trust: 1.71

sources: NVD: CVE-2020-14028 // JVNDB: JVNDB-2020-011461 // VULHUB: VHN-166865

AFFECTED PRODUCTS

vendor:	ozeki	model:	ng sms gateway	scope:	lte	version:	4.17.6	Trust: 1.0
vendor:	ozeki	model:	ng-sms gateway	scope:	eq	version:	-	Trust: 0.8
vendor:	ozeki	model:	ng-sms gateway	scope:	lte	version:	4.17.6 until	Trust: 0.8

sources: JVNDB: JVNDB-2020-011461 // NVD: CVE-2020-14028

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-14028
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-14028
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202009-1333
value:	HIGH
Trust: 0.6
VULHUB:	VHN-166865
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-14028
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-166865
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-14028
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-14028
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-166865 // JVNDB: JVNDB-2020-011461 // CNNVD: CNNVD-202009-1333 // NVD: CVE-2020-14028

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	Path traversal (CWE-22) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-166865 // JVNDB: JVNDB-2020-011461 // NVD: CVE-2020-14028

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1333

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202009-1333

PATCH

title:	Download Ozeki Software Products	url:	http://www.ozeki.hu/index.php?owpn=231	Trust: 0.8
title:	Ozeki NG SMS Gateway Autoreply Repair measures for path traversal vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=129302	Trust: 0.6

sources: JVNDB: JVNDB-2020-011461 // CNNVD: CNNVD-202009-1333

EXTERNAL IDS

db:	NVD	id:	CVE-2020-14028	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-011461	Trust: 0.8
db:	CNNVD	id:	CNNVD-202009-1333	Trust: 0.7
db:	CNVD	id:	CNVD-2020-53532	Trust: 0.1
db:	VULHUB	id:	VHN-166865	Trust: 0.1

sources: VULHUB: VHN-166865 // JVNDB: JVNDB-2020-011461 // CNNVD: CNNVD-202009-1333 // NVD: CVE-2020-14028

REFERENCES

url:	https://github.com/drunkenshells/disclosures/tree/master/cve-2020-14028-arbitary%20file%20write-ozeki%20sms%20gateway	Trust: 2.5
url:	http://www.ozeki.hu/index.php?owpn=231	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14028	Trust: 1.4

sources: VULHUB: VHN-166865 // JVNDB: JVNDB-2020-011461 // CNNVD: CNNVD-202009-1333 // NVD: CVE-2020-14028

SOURCES

db:	VULHUB	id:	VHN-166865
db:	JVNDB	id:	JVNDB-2020-011461
db:	CNNVD	id:	CNNVD-202009-1333
db:	NVD	id:	CVE-2020-14028

LAST UPDATE DATE

2024-11-23T22:25:22.526000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-166865	date:	2020-09-26T00:00:00
db:	JVNDB	id:	JVNDB-2020-011461	date:	2021-04-02T07:53:00
db:	CNNVD	id:	CNNVD-202009-1333	date:	2020-09-27T00:00:00
db:	NVD	id:	CVE-2020-14028	date:	2024-11-21T05:02:23.080

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-166865	date:	2020-09-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-011461	date:	2021-04-02T00:00:00
db:	CNNVD	id:	CNNVD-202009-1333	date:	2020-09-22T00:00:00
db:	NVD	id:	CVE-2020-14028	date:	2020-09-22T18:15:23.840