Vulnerability Details CVE-2020-28351
The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.091
EPSS Ranking 92.3%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://packetstormsecurity.com/files/159987/ShoreTel-Conferencing-19.46.1802.0-Cross-Site-Scripting.html
- https://github.com/dievus/cve-2020-28351
- https://www.mitel.com/articles/what-happened-shoretel-products
- http://packetstormsecurity.com/files/159987/ShoreTel-Conferencing-19.46.1802.0-Cross-Site-Scripting.html
- https://github.com/dievus/cve-2020-28351
- https://www.mitel.com/articles/what-happened-shoretel-products
Products affected by CVE-2020-28351
-
cpe:2.3:h:mitel:shoretel:-
-
cpe:2.3:o:mitel:shoretel_firmware:19.46.1802.0