Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Vulnerability Name: Reflected Cross-Site Scripting in ShoreTel Conference Web Platform
Registered: CVE-2020-12679
Discoverers:
Jill Kamperides
Scott Goodwin, OSCP
OCD Tech
https://ocd-tech.com
Vendor of Product:
Mitel (formerly ShoreTel)
Affected Product Code Base:
ShoreTel Conference Web Application - 19.50.1000.0
Affected Component:
Affected HTML form element at page "home.php"
Attack Type:
Remote
Vulnerability Type:
Cross-Site Scripting (XSS)
Vulnerability Impact:
Code Execution, Information Disclosure
Attack Vector:
To exploit this vulnerability, a user must navigate to the ShoreTel conference homepage
using a specially crafted URL.
Description:
A reflected cross-site scripting (XSS) vulnerability in the Mitel / ShoreTel Conference
Web Application version 19.50.1000.0 allows remote attackers to inject arbitrary
JavaScript and HTML via the pathname following home.php.
Reporting Timeline:
04/06/2020: Vulnerability was reported to Mitel
05/05/2020: Vulnerability patched in MiVoice Connect 18.7 SP2 (build # 21.90.9743.0)
05/06/2020: Vulnerability registered
05/06/2020: Public disclosure
Remediated Product Version:
MiVoice Connect 18.7 SP2 Build 21.90.9743.0
Reference:
https://www.mitel.com/articles/what-happened-shoretel-products
https://ocd-tech.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment