← back
CVE-2020-28351

CVE-2020-28351

EPSS 16.0%
The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page.
Affected products
n/a · n/a
public PoCs found3
githubgithub.com/dievus/CVE-2020-283513cve_referencepacketstormsecurity.com/files/159987/ShoreTel-Conferencing-19.46.1802.0-Cross-Site-Scripting.htmlunverifiedexploitdbwww.exploit-db.com/exploits/49026unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/159987/ShoreTel-Conferencing-19.46.1802.0-Cross-Site-Scripting.htmlhttps://github.com/dievus/cve-2020-28351https://www.mitel.com/articles/what-happened-shoretel-products