Zero-Day vulnerability discovered by Joe Helle, Security Engineer at Integration Partners
On November 8th, 2020 our newest Security Engineer, Joe Helle, was issued a CVE (Common Vulnerability and Exposures) number for a Zero-Day Reflected Cross-Site Scripting vulnerability in a ShoreTel version 46.1802.0 web conferencing web application.
After conducting research on the application version and determining that there were no previously discovered findings on the parameter exploitation, Joe filed for a CVE (Common Vulnerabilities and Exposures) with MITRE. MITRE agreed with the assessment and issued Joe CVE number CVE-2020-28351 for the finding.
Integration Partners regularly conducts web application assessments for clients, and the scans and tests conducted to find this vulnerability are the same used on every client engagement.
In addition to finding vulnerabilities such as these in client web applications and infrastructure, Integration Partners security engineers provide valuable information about remediating those vulnerabilities to help with hardening the client’s infrastructure.
Learn more about the CVE number here.
See the exploit and proof of concept information here.