CVE-2020-13480-Verint-HTML Injection

Vulnerable Software: Verint Workforce Optimization (WFO)

Vulnerability: HTML Injection

Affected Version: 15.2

Vendor Homepage:  https://www.verint.com

CVE: CVE-2020-13480

CVE Author: Tejas Nitin Pingulkar

Exploit Available: POC Available

About Affected Software


Verint Workforce Optimization is a suite of unified software and services for capturing interactions and managing the performance of employees across the enterprise or in targeted areas of your business, including:

  • Back-office operations
  • Branch operations
  • Contact centers
  • Financial trading rooms

Additional Information


Verint WFO application provides functionality to send receive emails within an application. However application fails to sanitize user input.

Exploit:


1. Open send email function 

2. Write your payload inside the body

POC:


Timeline:

Initial Email Sent: 21 May 2020 — No response
Followup 2: 25 May 2020 — No response
Followup 3: 26 May 2020 — No response
CVE Generated: 26 May 2020
Followup 4:08 June 2020 — No response
Published: 09 June 2020


Comments

Popular posts from this blog

CVE-2020-13474: NCH Express Accounts- Privilege Escalation

CVE-2020-23446 Verint Workforce Optimization (WFO)

CVE-2020-13475: NCH accounts-Cross Site Scripting