#VU47083 CSV Injection in Ozeki NG SMS Gateway - CVE-2020-14026

Cybersecurity Help s.r.o.

Published: 2020-09-22 | Updated: 2020-09-24

Vulnerability identifier: #VU47083

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-14026

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ozeki NG SMS Gateway
Web applications / Remote management & hosting panels

Vendor: Ozeki Ltd.

Description

The vulnerability allows a remote attacker to inject arbitrary code into CSV files.

The vulnerability exists due to improper input validation within the in the Export Of Contacts feature. A remote user can inject arbitrary code into a CSV file.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Ozeki NG SMS Gateway: 4.0.0 - 4.17.6

External links
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-14026-Formula%20Injection-Ozeki%20SMS%20Gateway
https://www.ozeki.hu/index.php?ow_page_number=1017&downloadaction=email&download_product_id=1&os=windows&dpath=%2Fattachments%2F702%2Finstallwindows_1590575794_OzekiNG-SMS-Gateway_4.17.6.zip&dname=Ozeki+NG+SMS+Gateway+v4.17.6&dsize=+%2817.8+MB%29&platform=Windows
https://www.ozeki.hu/index.php?owpn=231

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Ozeki NG SMS Gateway