CVE-2020-11798
published 2020-06-10CVE-2020-11798: A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access…
PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
45.24%
98.6th percentile
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitel | micollab_audio_web_video_conferencing | < 8.1.2.4 | 8.1.2.4 |
| mitel | micollab_audio_web_video_conferencing | >= 9.0 < 9.1.3 | 9.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
url/awcuser/cgi-bin/vcs_access_file.cgi?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel Micollab Directory Traversal Attempt (CVE-2020-11798)"; flow:established,to_server; http.request_line; content:"GET /awcuser/cgi-bin/vcs_access_file.cgi?file="; startswith; fast_pattern; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-11798.yaml; reference:cve,2020-11798; classtype:web-application-attack; sid:2056355; rev:2; metadata:affected_product Mitel, created_at 2024_09_30, cve CVE_2020_11798, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)yara
regex: root:.*:0:0:
- →Exploit targets HTTP GET requests to /awcuser/cgi-bin/vcs_access_file.cgi with a URL-encoded path traversal sequence in the 'file' parameter (e.g., ..%2f repeated 16+ times) to read arbitrary files such as /etc/passwd. ↗
- →Successful exploitation returns HTTP 200 with a response Content-Type header of 'application/x-download' and 'filename=passwd', indicating file download of /etc/passwd.
- →Response body match for successful LFI: look for the regex pattern 'root:.*:0:0:' in the HTTP response body, confirming /etc/passwd was read.
- →Snort/Suricata PCRE for traversal detection: match GET requests to the CGI endpoint where the file parameter contains two or more URL-encoded or literal dot-dot-slash sequences.
- →Shodan/FOFA fingerprinting queries to identify exposed Mitel MiCollab AWV instances: search for HTML containing both 'Mitel' and 'MiCollab'.
- ·The vulnerability affects Mitel MiCollab AWV versions before 8.1.2.4 and 9.x before 9.1.3. The exploit payload uses 16 levels of URL-encoded traversal (..%2f), but the Snort rule's PCRE requires only 2 or more traversal sequences, providing broader coverage. ↗
- ·The Snort rule (sid:2056355, rev:2) is scoped to deployments at Perimeter, Internal, and SSLDecrypt positions, meaning SSL/TLS inspection is required to detect this attack over HTTPS.
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-25p6-jmrr-3hj2: A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8
ghsa_unreviewed·2022-05-24
CVE-2020-11798 [MEDIUM] CWE-22 GHSA-25p6-jmrr-3hj2: A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.
VulnCheck
Mitel micollab_audio\,_web_\&_video_conferencing Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2020·CVSS 5.3
CVE-2020-11798 [MEDIUM] Mitel micollab_audio\,_web_\&_video_conferencing Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Mitel micollab_audio\,_web_\&_video_conferencing Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.
Affected: Mitel micollab_audio\,_web_\&_video_conferencing
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statist
Suricata
ET WEB_SPECIFIC_APPS Mitel Micollab Directory Traversal Attempt (CVE-2020-11798)
suricata·2024-09-30·CVSS 5.3
CVE-2020-11798 [MEDIUM] ET WEB_SPECIFIC_APPS Mitel Micollab Directory Traversal Attempt (CVE-2020-11798)
ET WEB_SPECIFIC_APPS Mitel Micollab Directory Traversal Attempt (CVE-2020-11798)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel Micollab Directory Traversal Attempt (CVE-2020-11798)"; flow:established,to_server; http.request_line; content:"GET /awcuser/cgi-bin/vcs_access_file.cgi?file="; startswith; fast_pattern; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-11798.yaml; reference:cve,2020-11798; classtype:web-application-attack; sid:2056355; rev:2; metadata:affected_product Mitel, created_at 2024_09_30, cve CVE_2020_11798, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Des
Exploit-DB
Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal and LFI
exploitdb·2023-04-06·CVSS 5.3
CVE-2020-11798 [MEDIUM] Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal and LFI
Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal and LFI
---
# Exploit Title: Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal and LFI
# Date: 2022-10-14
# Fix Date: 2020-05
# Exploit Author: Kahvi-0
# Github: https://github.com/Kahvi-0
# Vendor Homepage: https://www.mitel.com/
# Vendor Security Advisory: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-20-0005
# Version: before 8.1.2.4 and 9.x before 9.1.3
# CVE: CVE-2020-11798
# CVE Reported By: Tri Bui
Description:
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access valid
Nuclei
Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal
nuclei·CVSS 5.3
CVE-2020-11798 [MEDIUM] Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal
Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.
Template:
id: CVE-2020-11798
info:
name: Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal
author: ritikchaddha
severity: medium
description: |
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted direct
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171751/Mitel-MiCollab-AWV-8.1.2.4-9.1.3-Directory-Traversal-LFI.htmlhttps://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin-20-0005-01.pdfhttps://www.mitel.com/support/security-advisories/mitel-product-security-advisory-20-0005http://packetstormsecurity.com/files/171751/Mitel-MiCollab-AWV-8.1.2.4-9.1.3-Directory-Traversal-LFI.htmlhttps://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin-20-0005-01.pdfhttps://www.mitel.com/support/security-advisories/mitel-product-security-advisory-20-0005
2020-06-10
Published
Exploited in the wild