CVE-2020-14024

Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuration, or (4) any GET Parameter in the /default URL of the application.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
VendorProductVersion
ozekiozeki_ng_sms_gateway
𝑥
≤ 4.17.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-14024-Multiple%20XSS-Ozeki%20SMS%20Gateway
https://www.ozeki.hu/index.php?owpn=231
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-14024-Multiple%20XSS-Ozeki%20SMS%20Gateway
https://www.ozeki.hu/index.php?owpn=231