PT-2020-13854 · Ozeki · Ozeki Ng Sms Gateway
Published
2020-09-29
·
Updated
2020-10-09
·
CVE-2020-14030
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Ozeki NG SMS Gateway versions prior to 4.17.7
Description
An issue was discovered where Ozeki NG SMS Gateway stores SMS messages in .NET serialized format on the filesystem. This allows an attacker to generate malicious .NET serialized files, which when written to the disk and deserialized by the product, can result in arbitrary code execution.
Recommendations
For Ozeki NG SMS Gateway versions prior to 4.17.7, update to version 4.17.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the filesystem where SMS messages are stored to minimize the risk of exploitation.
Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ozeki Ng Sms Gateway