CVE-2020-14024

Name of the Vulnerable Software and Affected Versions Ozeki NG SMS Gateway versions prior to 4.17.7

Description The issue affects the Ozeki NG SMS Gateway, where multiple authenticated stored and/or reflected XSS vulnerabilities have been identified. These vulnerabilities can be exploited via several fields and parameters, including the Receiver or Recipient field in the Mailbox feature, the OZFORM GROUPNAME field in the Group configuration of addresses, the listname field in the Defining address lists configuration, or any GET parameter in the "/default" URL of the application.

Recommendations For Ozeki NG SMS Gateway versions prior to 4.17.7, update to version 4.17.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the Mailbox feature, Group configuration of addresses, and Defining address lists configuration to minimize the risk of exploitation. Avoid using the Receiver or Recipient field, OZFORM GROUPNAME field, and listname field in the affected configurations until the issue is resolved. Additionally, restrict access to the "/default" URL of the application to prevent exploitation via GET parameters.