Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Vulnerability Name: Reflected Cross-Site Scripting in ShoreTel Conference Web Platform
Registered: CVE-2020-12679
Jill Kamperides
Scott Goodwin, OSCP
OCD Tech
Vendor of Product:
Mitel (formerly ShoreTel)
Affected Product Code Base:
ShoreTel Conference Web Application - 19.50.1000.0
Affected Component:
Affected HTML form element at page "home.php"
Attack Type:
Vulnerability Type:
Cross-Site Scripting (XSS)
Vulnerability Impact:
Code Execution, Information Disclosure
Attack Vector:
To exploit this vulnerability, a user must navigate to the ShoreTel conference homepage
using a specially crafted URL.
A reflected cross-site scripting (XSS) vulnerability in the Mitel / ShoreTel Conference
Web Application version 19.50.1000.0 allows remote attackers to inject arbitrary
JavaScript and HTML via the pathname following home.php.
Reporting Timeline:
04/06/2020: Vulnerability was reported to Mitel
05/05/2020: Vulnerability patched in MiVoice Connect 18.7 SP2 (build # 21.90.9743.0)
05/06/2020: Vulnerability registered
05/06/2020: Public disclosure
Remediated Product Version:
MiVoice Connect 18.7 SP2 Build 21.90.9743.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment