Summary:
A vulnerability in the ShoreTel platform (CVE-2018-12901) could allow an attacker to create a specially crafted URL that gives them the ability to execute arbitrary code in a victim’s browser if the victim clicks the link. This issue was discovered by Harrison Coale of Secureworks® during a penetration test against a client. The severity of these issue is medium, as exploitation requires little effort on the part of the attacker and the systems are readily found by searching indexed public systems on Google. ShoreTel platform versions prior to and including 19.49.8600.0 may be vulnerable to cross-site scripting.
Download the PDF: Secureworks Security Advisory 2018-001