Sign-up

ID

VAR-202009-0288


CVE

CVE-2020-14029


TITLE

Ozeki NG SMS Gateway  In  XML  External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-011470

DESCRIPTION

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The RSS To SMS module processes XML files in an unsafe manner. This opens the application to an XML External Entity attack that can be used to perform SSRF or read arbitrary local files. The program can convert your incoming emails to SMS and send them to your mobile phone. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc

Trust: 1.71

sources: NVD: CVE-2020-14029 // JVNDB: JVNDB-2020-011470 // VULHUB: VHN-166866

AFFECTED PRODUCTS

vendor:ozekimodel:ng sms gatewayscope:lteversion:4.17.6

Trust: 1.0

vendor:ozekimodel:ng-sms gatewayscope:eqversion: -

Trust: 0.8

vendor:ozekimodel:ng-sms gatewayscope:lteversion:4.17.6 until

Trust: 0.8

sources: JVNDB: JVNDB-2020-011470 // NVD: CVE-2020-14029

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-14029
value: HIGH

Trust: 1.0

NVD: CVE-2020-14029
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202009-1244
value: HIGH

Trust: 0.6

VULHUB: VHN-166866
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-14029
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-166866
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-14029
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-14029
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-166866 // JVNDB: JVNDB-2020-011470 // CNNVD: CNNVD-202009-1244 // NVD: CVE-2020-14029

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.1

problemtype:XML Improper restrictions on external entity references (CWE-611) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-166866 // JVNDB: JVNDB-2020-011470 // NVD: CVE-2020-14029

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1244

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202009-1244

PATCH

title:Download Ozeki Software Productsurl:http://www.ozeki.hu/index.php?owpn=231

Trust: 0.8

title:Ozeki NG SMS Gateway Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=129275

Trust: 0.6

sources: JVNDB: JVNDB-2020-011470 // CNNVD: CNNVD-202009-1244

EXTERNAL IDS

db:NVDid:CVE-2020-14029

Trust: 2.5

db:JVNDBid:JVNDB-2020-011470

Trust: 0.8

db:CNNVDid:CNNVD-202009-1244

Trust: 0.7

db:VULHUBid:VHN-166866

Trust: 0.1

sources: VULHUB: VHN-166866 // JVNDB: JVNDB-2020-011470 // CNNVD: CNNVD-202009-1244 // NVD: CVE-2020-14029

REFERENCES

url:https://github.com/drunkenshells/disclosures/tree/master/cve-2020-14029-xxe-ozeki%20sms%20gateway

Trust: 2.5

url:http://www.ozeki.hu/index.php?owpn=231

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-14029

Trust: 1.4

sources: VULHUB: VHN-166866 // JVNDB: JVNDB-2020-011470 // CNNVD: CNNVD-202009-1244 // NVD: CVE-2020-14029

SOURCES

db:VULHUBid:VHN-166866
db:JVNDBid:JVNDB-2020-011470
db:CNNVDid:CNNVD-202009-1244
db:NVDid:CVE-2020-14029

LAST UPDATE DATE

2024-11-23T22:11:23.855000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-166866date:2020-09-26T00:00:00
db:JVNDBid:JVNDB-2020-011470date:2021-04-05T05:48:00
db:CNNVDid:CNNVD-202009-1244date:2022-03-08T00:00:00
db:NVDid:CVE-2020-14029date:2024-11-21T05:02:23.250

SOURCES RELEASE DATE

db:VULHUBid:VHN-166866date:2020-09-18T00:00:00
db:JVNDBid:JVNDB-2020-011470date:2021-04-05T00:00:00
db:CNNVDid:CNNVD-202009-1244date:2020-09-18T00:00:00
db:NVDid:CVE-2020-14029date:2020-09-18T18:15:16.287