Zero-Day vulnerability discovered by Joe Helle, Security Engineer at Integration Partners

 

On November 8^th, 2020 our newest Security Engineer, Joe Helle, was issued a CVE (Common Vulnerability and Exposures) number for a Zero-Day Reflected Cross-Site Scripting vulnerability in a ShoreTel version 46.1802.0 web conferencing web application.

While working on a client security assessment, Joe located a possible vulnerability where user-input parameters were not being validated and sanitized prior to engagement. After manipulating the input, Joe discovered that arbitrary JavaScript commands could be issued to the web application, causing it to respond according to those malicious commands.

After conducting research on the application version and determining that there were no previously discovered findings on the parameter exploitation, Joe filed for a CVE (Common Vulnerabilities and Exposures) with MITRE. MITRE agreed with the assessment and issued Joe CVE number CVE-2020-28351 for the finding.

Integration Partners regularly conducts web application assessments for clients, and the scans and tests conducted to find this vulnerability are the same used on every client engagement.

In addition to finding vulnerabilities such as these in client web applications and infrastructure, Integration Partners security engineers provide valuable information about remediating those vulnerabilities to help with hardening the client’s infrastructure.

 

Resources

Learn more about the CVE number here.

See the exploit and proof of concept information here.