CVE Vulnerability

CVE-2020-14026

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the Export Of Contacts feature in Ozeki NG SMS Gateway through 4.17.6 via a value that is mishandled in a CSV export.

9.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-14026-Formula%20Injection-Ozeki%20SMS%20Gateway Exploit Third Party Advisory
https://www.ozeki.hu/index.php?ow_page_number=1017&downloadaction=email&download_product_id=1&os=windows&dpath=%2Fattachments%2F702%2Finstallwindows_1590575794_OzekiNG-SMS-Gateway_4.17.6.zip&dname=Ozeki+NG+SMS+Gateway+v4.17.6&dsize=+%2817.8+MB%29&platform=Windows Release Notes Vendor Advisory
https://www.ozeki.hu/index.php?owpn=231 Product Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:ozeki:ozeki_ng_sms_gateway:*:*:*:*:*:*:*:*
Information

Published : 2020-09-22 06:15

Updated : 2020-09-26 02:34

NVD link : CVE-2020-14026

Mitre link : CVE-2020-14026

Products Affected
No products.
CWE
CWE-1236

Improper Neutralization of Formula Elements in a CSV File