ozeki CVE Vulnerabilities & Metrics

Focus on ozeki vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About ozeki Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with ozeki. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total ozeki CVEs: 11
Earliest CVE date: 18 Sep 2020, 18:15 UTC
Latest CVE date: 30 Sep 2020, 18:15 UTC

Latest CVE reference: CVE-2020-14030

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical ozeki CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 6.4

Max CVSS: 9.3

Critical CVEs (≥9): 4

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	6
7.0-8.9	0
9.0-10.0	4

CVSS Distribution Chart

Top 5 Highest CVSS ozeki CVEs

These are the five CVEs with the highest CVSS scores for ozeki, sorted by severity first and recency.

CVE-2020-14026 ozeki Published on 22 Sep 2020, 18:15 UTC (CVSS: 9.3)
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the Export Of Contacts feature in Ozeki NG SMS Gateway through 4.17.6 via a value that is mishandled in a CSV export.
CVE-2020-14031 ozeki Published on 22 Sep 2020, 18:15 UTC (CVSS: 9.0)
An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The outbox functionality of the TXT File module can be used to delete all/most files in a folder. Because the product usually runs as NT AUTHORITY\SYSTEM, the only files that will not be deleted are those currently being run by the system and/or files that have special security attributes (e.g., Windows Defender files).
CVE-2020-14028 ozeki Published on 22 Sep 2020, 18:15 UTC (CVSS: 9.0)
An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. By leveraging a path traversal vulnerability in the Autoreply module's Script Name, an attacker may write to or overwrite arbitrary files, with arbitrary content, usually with NT AUTHORITY\SYSTEM privileges.
CVE-2020-14022 ozeki Published on 22 Sep 2020, 18:15 UTC (CVSS: 9.0)
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Starter" module) within the application.
CVE-2020-14025 ozeki Published on 22 Sep 2020, 18:15 UTC (CVSS: 6.8)
Ozeki NG SMS Gateway through 4.17.6 has multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as installing new modules or changing a password.

All CVEs for ozeki

CVE-2020-14030 ozeki vulnerability CVSS: 6.5 30 Sep 2020, 18:15 UTC

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. It stores SMS messages in .NET serialized format on the filesystem. By generating (and writing to the disk) malicious .NET serialized files, an attacker can trick the product into deserializing them, resulting in arbitrary code execution.

CVE-2020-14031 ozeki vulnerability CVSS: 9.0 22 Sep 2020, 18:15 UTC

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The outbox functionality of the TXT File module can be used to delete all/most files in a folder. Because the product usually runs as NT AUTHORITY\SYSTEM, the only files that will not be deleted are those currently being run by the system and/or files that have special security attributes (e.g., Windows Defender files).

CVE-2020-14028 ozeki vulnerability CVSS: 9.0 22 Sep 2020, 18:15 UTC

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. By leveraging a path traversal vulnerability in the Autoreply module's Script Name, an attacker may write to or overwrite arbitrary files, with arbitrary content, usually with NT AUTHORITY\SYSTEM privileges.

CVE-2020-14027 ozeki vulnerability CVSS: 3.5 22 Sep 2020, 18:15 UTC

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The database connection strings accept custom unsafe arguments, such as ENABLE_LOCAL_INFILE, that can be leveraged by attackers to enable MySQL Load Data Local (rogue MySQL server) attacks.

CVE-2020-14026 ozeki vulnerability CVSS: 9.3 22 Sep 2020, 18:15 UTC

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the Export Of Contacts feature in Ozeki NG SMS Gateway through 4.17.6 via a value that is mishandled in a CSV export.

CVE-2020-14025 ozeki vulnerability CVSS: 6.8 22 Sep 2020, 18:15 UTC

Ozeki NG SMS Gateway through 4.17.6 has multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as installing new modules or changing a password.

CVE-2020-14024 ozeki vulnerability CVSS: 4.3 22 Sep 2020, 18:15 UTC

Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuration, or (4) any GET Parameter in the /default URL of the application.

CVE-2020-14023 ozeki vulnerability CVSS: 4.0 22 Sep 2020, 18:15 UTC

Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.

CVE-2020-14022 ozeki vulnerability CVSS: 9.0 22 Sep 2020, 18:15 UTC

Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Starter" module) within the application.

CVE-2020-14029 ozeki vulnerability CVSS: 5.0 18 Sep 2020, 18:15 UTC

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The RSS To SMS module processes XML files in an unsafe manner. This opens the application to an XML External Entity attack that can be used to perform SSRF or read arbitrary local files.

CVE-2020-14021 ozeki vulnerability CVSS: 4.0 18 Sep 2020, 18:15 UTC

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The ASP.net SMS module can be used to read and validate the source code of ASP files. By altering the path, it can be made to read any file on the Operating System, usually with NT AUTHORITY\SYSTEM privileges.