cbcvebase.
CVE-2020-11798
published 2020-06-10

CVE-2020-11798: A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access…

PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
45.24%
98.6th percentile
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.

Affected

2 ranges
VendorProductVersion rangeFixed in
mitelmicollab_audio_web_video_conferencing< 8.1.2.48.1.2.4
mitelmicollab_audio_web_video_conferencing>= 9.0 < 9.1.39.1.3

Detection & IOCsextracted from sources · hover to see the quote

url/awcuser/cgi-bin/vcs_access_file.cgi?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd
path/awcuser/cgi-bin/vcs_access_file.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel Micollab Directory Traversal Attempt (CVE-2020-11798)"; flow:established,to_server; http.request_line; content:"GET /awcuser/cgi-bin/vcs_access_file.cgi?file="; startswith; fast_pattern; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-11798.yaml; reference:cve,2020-11798; classtype:web-application-attack; sid:2056355; rev:2; metadata:affected_product Mitel, created_at 2024_09_30, cve CVE_2020_11798, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
yara
regex: root:.*:0:0:
  • Exploit targets HTTP GET requests to /awcuser/cgi-bin/vcs_access_file.cgi with a URL-encoded path traversal sequence in the 'file' parameter (e.g., ..%2f repeated 16+ times) to read arbitrary files such as /etc/passwd.
  • Successful exploitation returns HTTP 200 with a response Content-Type header of 'application/x-download' and 'filename=passwd', indicating file download of /etc/passwd.
  • Response body match for successful LFI: look for the regex pattern 'root:.*:0:0:' in the HTTP response body, confirming /etc/passwd was read.
  • Snort/Suricata PCRE for traversal detection: match GET requests to the CGI endpoint where the file parameter contains two or more URL-encoded or literal dot-dot-slash sequences.
  • Shodan/FOFA fingerprinting queries to identify exposed Mitel MiCollab AWV instances: search for HTML containing both 'Mitel' and 'MiCollab'.
  • ·The vulnerability affects Mitel MiCollab AWV versions before 8.1.2.4 and 9.x before 9.1.3. The exploit payload uses 16 levels of URL-encoded traversal (..%2f), but the Snort rule's PCRE requires only 2 or more traversal sequences, providing broader coverage.
  • ·The Snort rule (sid:2056355, rev:2) is scoped to deployments at Perimeter, Internal, and SSLDecrypt positions, meaning SSL/TLS inspection is required to detect this attack over HTTPS.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.